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The configurable Command Center puts all the 
information you need in one place. Manage individual 
agents, quarantines, threats, and more. 


CPU % Used During Scan 


VIPfiE 1 
McAfee i 
Trend Micro I 
Symantec I 
Sophos I 
Webroot I 



CPU Percentage 


How does your current software compare? 

VIPRE Enterprise scans at a brisk 13.95 MB/sec and 
uses just 27% of CPU and 50 MB of RAM. In idle, it 
uses a mere 13.3 MB RAM with a disk footprint of just 
113 MB. You'll hardly notice it's running! 


Until now, antivirus engines have been Frankensteins, bolted 
together from bits and pieces of different products. They're slow, full 
of bugs, and hard to manage. 

VIPRE Enterprise is a revolutionary new approach. It's built from scratch 
as the all-in-one antivirus, antispyware, anti-rootkit solution that gives 
you complete endpoint malware protection without hogging 
resources! It's fast, powerful, and easy. 

Plus, advanced anti-malware technology protects your system against 
the new wave of malware threats. No more juggling multiple programs. 
No more dealing with user complaints about slow workstation 
performance. 

• COMPLETE! All-in-one protection from today's malware. 

• FAST! High-performance and low impact on system resources. 

• EASY! Manage everything easily from one command screen. 

• RELIABLE! Configurable, real-time monitoring technology. 

• AFFORDABLE! Low $10 per seat pricing to save you money. 

Why struggle with slow resource hogs when you can manage ALL your 
malware threats with one fast, easy application? 

Curious? Download your FREE copy of VIPRE Enterprise and give it a 
test drive. 



Sunbelt Software 


When you compare VIPRE Enterprise to Symantec, McAfee, Trend Micro 
or whatever antivirus program you're using, you WILL want to switch! 
Don't worry, though.You can get VIPRE Enterprise at our competitive 
upgrade price of only $10 per seat! 


Download VIPRE Enterprise today and get your own home version of VIPRE to keep FREE as our gift to you! 

www.TestDriveVipre.com 

Sunbelt Software Tel: 1-888-688-8457 or 1-727-562-0101 Fax:1-727-562-5199 www.SunbeltSoftware.com sales@sunbeltsoftware.com 

© 2009 Sunbelt Software. All rights reserved. VIPRE Enterprise is a trademark of Sunbelt Software. All trademarks used are owned by their respective owners. 

New licenses are available for $10/seat up to 500 seats, minimum 10 seats. For customers with over 500 seats, please call for special pricing. Available for a limited time and subject to change without notice. See website for more details. 


































savision 



Live Maps for Operations Manager 2007 enables employees at all levels, from the IT operator to 
business executive, to see more context for every IT problem. Live Maps allows IT organizations 
to rapidly conceive, build and maintain large-scale monitoring maps in order to know more about how 
IT problems affect business operations. This allows IT pros everywhere to do more with less. 
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To learn more about Savision's products and services or to download a free copy, visit Microsoft 

www.savision.com, US & International Sales: +31 30 2442351 or sales@savision.com, CERTIFIED 


Partner 



Get your free copy at www.savision.com/free 


































From: I need training to install this 
To: My intern installed this 


NO-NONSENSE 


Stbernard 



WEB FILTERING 


FLIP THE SWITCH 

Get your FRE iPrism® Switch Kit today: 


That's what you'll get when you switch to iPrism from 
St Bernard - the award-winning web filter that's easier 
in every way, and less expensive to own. 

iPrism is changing the way companies and schools 
everywhere handle their web filtering. With blaz¬ 
ing throughput speeds up to 100+ Mbps, anti-virus 
protection and seamless XenApp and Active Directory 
integration, iPrism is the appliance-based solution of 
choice for customers and institutions of any size. 

Find out more about the easiest-to-deploy, most 
highly rated web filtering solution ever - the industry's 
ONLY Citrix-ready web filtering appliance. 

Call 1.800.782.3762 or go to www.SwitchToiPrism.com 


FREE 30-day onsite evaluation 

that can be deployed without any client or 
network changes 

FREE enhanced technical support 

for setting up matching policies, reports & alerts 
based on your current settings 

INCENTIVE PRICING & A FREE T-SHIRT 

just for watching a live demo 



iPrism® h-Series, the world's #1 Web Filtering appliance. 

© 2008 St Bernard Software, Inc. 
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Smarter technology for a Smarter Planet: 

Can an entire business 
be given a nervous system? 

On a smarter planet, the datacenter is not simply the heart of IT—it’s also the central nervous system 
of the entire business. IBM is helping companies view their extended infrastructure not as a collection 
of disconnected pieces, but as an integrated system that connects the datacenter to all of the digital 
and physical assets of the business, creating a more dynamic infrastructure. From railway systems 
that can predict and schedule their own maintenance to assembly lines that understand how to adjust 
to changing needs to power grids that match supply and demand, we’re already helping customers 
improve service, increase flexibility and reduce operating costs by as much as 50%. 


A smarter business needs smarter software, systems and services. 
Let’s build a smarter planet, ibm.com/infrastructure 




IBM, the IBM logo, ibm.com, Smarter Planet and the planet icon are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other 
product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml. 
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Crockett 

"IT purchases for 2010 must 
show immediate and compelling 
bottom-line savings." 


Window Shopping for 2010 IT Purchases 

Windows 7 deployment will likely surpass Server 2008 R2 and Exchange 2010 


M icrosoft's three-way product launch this fall 
of Windows 7, Windows Server 2008 R2 ; and 
Exchange Server 2010 is a refreshing burst of 
activity in an otherwise stagnant product launch 
year. But talking about a product, getting a demo 
about a product, or even craving a product isn't 
the same as actually buying a product. (Probably only Windows 7 
stirs any emotion remotely resembling a craving.) 

According to our recent independently conducted audience 
research, as the economically painful 2009 winds to a close, busi¬ 
nesses will continue to hold tight to their cash. New technology 
whose primary benefit is the cool factor isn't high on any IT man¬ 
ager's shopping list unless keeping his or her job also isn't top on the 
list. All of the future efficiencies promised by new technology will be 
seriously weighed against turning in decent business performance 
this last quarter. But that doesn't mean we all can't do a little window 
shopping for 2010 purchases that will achieve some efficiency ben¬ 
efits. The problem is finding the clear-cut efficiencies that will really 
make a difference in the short term. 

Deployment Plans 

The clear winner among our readers in the plan-to-deploy race is 
Windows 7. Among our print, email, and web audience, about 58 
percent of respondents indicated that they plan to deploy Windows 
7 in 2010. Favorite Windows 7 features that are driving this anticipa¬ 
tion include faster boot times, an improved UI, and the Windows 
XP mode (yes, there is irony in that last one). For Paul Thurrott's 
discussion of the Windows 7 launch and some audience reac¬ 
tion to the release, check out "Windows 7 Will Set Industry Afire" 
(windowsitpro.com, InstantDoc ID 102819). Interestingly, even the 
promise of excising Vista isn't enough for some of our readers to 
jump on Windows 7, primarily because they never deployed Vista 
in the first place. 

Server 2008 R2 shows decent potential for deployment in 2010 
as well. Only about 48 percent of our audience currently has Server 
2008 running somewhere in the organization. A litde over half of 
respondents indicated plans to deploy Server 2008 R2 in 2010. But 
for those who are squeamish about deployment, the admittedly 
intriguing features such as the 64-bit capability make the decision 
even tougher. Cash-strapped companies that don't already have 
64-bit hardware are going to have to wait. The new Live Migration 
feature that lets you move Hyper-V virtual machines (VMs) between 


hosts with no downtime is great. But most of our readers who are 
currently using virtualization technology already have VMware 
implementations in place. (For Michael Otey's quick picks of the 
most compelling Server 2008 R2 features, check out "New Features 
in Windows Server 2008 R2," windowsitpro.com, InstantDoc ID 
101470.) 

The statistics regarding Exchange Server migration tell the classic 
if-it-ain't-broke-don't-fix-it story. About 46 percent of our audience 
uses Exchange Server 2003. Only about 33 percent of respondents 
have deployed Exchange Server 2007. And only about 32 percent 
of our audience plans to deploy Exchange 2010 within six months 
after release. For those who've looked at Exchange 2010, the win¬ 
ning features are built-in email archiving and Database Availability 
Groups (DAGs) for improved high availability. But of those readers 
who have no plans to upgrade, the top reasons cited for holding tight 
to previous versions are that they're unconvinced about the benefits 
of migrating, they don't have the budget, or it's simply been too soon 
since their last upgrade. And forget about unified communications 
(UC) driving adoption: Less than 8 percent of our audience have 
deployed any form of UC. According to comments from our Instant 
Polls, most readers see UC as too expensive and too complicated. In 
fact, a recent Instant Poll asking about Microsoft Office Communica¬ 
tions Server (OCS) adoption elicited the most votes for the response, 
"What the heck is OCS?" For basic Exchange Server migrations, the 
angst is real as many organizations struggle with when and how to 
move from Exchange 2003, which has quietly and relatively seam¬ 
lessly served up email in organizations for years. Paul Robichaux 
offers some excellent advice in "Exchange 2007 Now or Exchange 
2010 Later?" (windowsitpro.com, InstanstDoc ID 102197). 

Hats Off to Windows 7 

So as we put the wrapper on this decidedly underwhelming IT buy¬ 
ing year, let's all give a little salute to Windows 7 for causing some 
checkbooks to come out of the drawer. For most companies, IT pur¬ 
chases for 2010 must show immediate and compelling bottom-line 
savings. Bells and whistles, anyone? I didn't think so. ^ 

InstantDoc ID 102833 
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Smarter technology for a Smarter Planet: 

Can the boundaries of a business be 
defined by its people instead of its walls? 

On a smaller, flatter, smarter planet, we increasingly find ourselves working with people far outside the walls 
of the enterprise: partners, suppliers, customers and remote employees. IBM is incorporating new tools, like 
social software, wikis and presence awareness, throughout our collaboration portfolio—as well as new ways 
of accessing these tools through the cloud. Cloud-based solutions like LotusLive™ let your people work with 
whomever they want, regardless of what side of the firewall they’re on. All backed by the legendary security 
you expect from IBM. Now you can extend your collaboration infrastructure without the cost and complexity 
of additional infrastructure. So you don’t have to tear down your walls to reach beyond them. 


A smarter business needs smarter software, systems and services. 
Let’s build a smarter planet, ibm.com/collaborate 
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Rebooting with PowerShell 

Thanks to Bill Stewart ("Rebooting Comput¬ 
ers Using PowerShell,"September 2009, 
InstantDoc ID 102361) for a great script! This 
script will help me reboot hundreds of serv¬ 
ers after patching them. 

—Matthew Van Den Bos 

Keep Sharing Those Free Utilities! 

Douglas Toombs presents an excellent selec¬ 
tion of Windows utilities in "8 More Excellent 
Free Utilities" (September 2009, InstantDoc 
ID 102446). I've been playing with WinAudit 
in conjunction with WinDiff. I have WinAudit 
pull the system files into a .csv file prior to 
patching. I rescan after the patch update, 
then use WinDiff to compare the two files. 

My only problem is that the process doesn't 
seem to work properly in Windows 7, so I'm 
investigating that. 

I remember reading 
Toombs'"Mail Filtering 
with Fluffy the SMTP- 
GuardDog" (August 2004, 

InstantDoc ID 43204). 

At the time, I was using 
Exchange Server 2003 
on Windows 2003 Server 
at home. I enjoyed look¬ 
ing at the logs to see 
who was spamming me. 

Then I found out about 
spamhaus.org, a site that 
offered a DNS blacklist for 
home use. (Spamhaus 
.org is free for home users 
running Exchange 2000 or 2003, but corpora¬ 
tions need to pay for it.) 

I configured Fluffy to receive mail on 
port 25 and pass it to the Exchange on 
port 26—a scenario that worked great with 
the spamhaus.org-housed DNS blacklist 
as long as I was running Exchange 2003 or 
2000.1 could configure Exchange to provide 


an Edge Transport server role in the DMZ 
that passes mail to the back-end Exchange 
server via a certificate-authenticated link. 
Then came Exchange 2007, which offered 
the same (if not more) capabilities than 
Fluffy did. Setting up Fluffy as the email 
entrance point didn't work with Exchange 
2007; I couldn't figure how to set the Edge 
Transport server to pass mail to the back¬ 
end server via port 26. 

Anyway, I've used Windows IT Pro many 
times to enhance my collection of tips, 
tricks, and utilities, and Doug's articles are 
always great sources of information. Keep 
up the good work! 

—Bill Crouch 

Ease Up on EU 

I'm a long-time reader of Paul Thurrott's 
Winlnfo newsletter, and I greatly appreciate 
his excellent views on all 
IT matters. However, his 
stance in "Google Scrambles 
to Appease EU Regulators 
over Book Scanning" (Sep¬ 
tember 8,2009, InstantDoc 
ID 102776) regarding "overly 
aggressive European Union 
antitrust regulators" is get¬ 
ting a bit tiresome. 

I have no problem 
with the EU investigating 
anyone, as many times as 
necessary, as long as the 
outcome is just. I don't fol¬ 
low the EU cases as closely 
as Paul does, but the only case I think the EU 
got wrong was the Internet Explorer (IE) bun¬ 
dling case. However, that was on the back of 
Microsoft's bullying of PC makers. 

My problem with EU regulators is that 
they don't apply the same level of scrutiny 
and standards to other companies. I'm think¬ 
ing of Apple and Google. If you're going to 



Windows IT Pro welcomes feedback about the magazine. Send comments to letters@windows 
itpro.com, and include your full name, email address, and daytime phone number. We edit all 
letters and replies for style, length, and clarity. 


Microsoft Supports Microsoft 
Support 

I read your "What Would Microsoft 
Support Do?"column every month, 
and I really like the tips that it pro¬ 
vides. The September article about 
ProcDump ("Got High-CPU Usage 
Problems? ProcDump'Em!" InstantDoc 
ID 102479) is very cool. I referenced this 
article in my personal blog onTechNet 
(blogs.technet.com/yuridiogenes/ 
archive/2009/09/01 /wspsrv-exe- 
causing-random-high-cpu-utilization- 
how-to-catch-it.aspx) because this tool 
can also help Microsoft Internet Security 
& Acceleration (ISA) administrators in 
some scenarios. Thank you for sharing 
this information. 

—Yuri Diogenes, 
Senior Security Support 
Escalation Engineer, 
Microsoft Corporation 


beat EU regulators with a stick, beat them 
with the correct stick, please! 

The Google book-scanning case is prob¬ 
ably the trickiest of the lot because it covers 
differing copyright laws in every country. 
Ultimately, the concern involves freedom of 
information. I can go to a local library and get 
just about any book I want. Google is aiming 
for that kind of accessibility, but the library 
offers it for free, non-profit, for the common 
educational goal of "books for everyone, for 
free."One company I worked for had a small 
library that was connected to the local public 
library, offering book shares and book rota¬ 
tion. 

I'm generally not a fan of government- 
run organizations. However, if the alterna¬ 
tive is Google holding all the keys to all the 
books, I'd prefer a government-run (or even 
a United Nations Educational, Scientific 
and Cultural Organization—UNESCO—run) 
organization. Then again, I wouldn't trust 
either Google or the UN to open a can of 
baked beans. 

I hope this letter doesn't come across as a 
bash. Please keep up the truly brilliant work, 
Paul. ♦ 

—MarkGillard 

InstantDoc ID 102823 
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Smarter technology for a Smarter Planet: 

Building the extraordinary 
into everyday things. 

By next year, the average car will require over 100 million lines of software code, and a commercial 
airplane, over 1 billion. It’s approaching the point where a car or a plane isn’t simply a car or a plane 
anymore. What makes them truly unique is the underlying software—the invisible thread—that infuses 
them with intelligence. In the past year alone, 66% of the products developed included embedded 
software. Today, software is a core strategic business asset. Unfortunately, 41% of software projects 
fail to deliver the expected ROI. Only IBM has the experience, the resources and the solutions to build 
more effective software design and delivery processes for the world’s leading businesses. 


A smarter business needs smarter software, systems and services. 

I fit’s huild fi smartfir nlanfit ihm r.nm/dfili\/fir\/ 



IBM, the IBM logo, ibm.com, Smarter Planet and the planet icon are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names 
might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml. © International Business Machines Corporation 2009. 
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Readon 


On a Windows Server 2008 R2 File 
Server Cluster we're seeing failover/ 
fallback times within two seconds. 

Nice! —@alsugano Wed, Sept 2,2009 

___ J 




Overheard 

Proof that Steve Jobs is 
afraid of buttons: 

1. Mac mice. 2. iPhone. 3. Turtlenecks. 



Windows 7: Migrate or Wait? _ 

** from the Windows IT Pro Magazine Forum on Linked 

Q | Microsoft expects to release Windows 7 before the end of 2009. What are your migration plans? 
Will you move immediately on release? Wait 6 months? A year? If you do plan to move quickly, 

| what is compelling you to do so? —Amy Eisenberg, Executive Editor, Windows IT Pro 


I'll be reviewing the compatibility of Windows 7 with my current 
legacy applications and the application vendors. We are cur¬ 
rently an XP shop but do have the hardware in place to make the 
upgrade. So far, in our trials, it looks promising. More promising 
than Vista did when we initially tested it. —Chris Muncy 

We will upgrade to Windows 7 on our next hardware refresh, 
which should be in 18-24 months. Hopefully we will have 
some 2008 R2 servers in place by that time to take advan¬ 
tage of Direct Access. —Peter Diamond 


We are definitely upgrading. We will wait at least 6 months 
though. I am shooting for a summer 2010 roll out. We 
skipped Vista due to software compatibility issues, but so 
far, our testing has been positive with Windows 7. Our cur¬ 
rent hardware will support a large scale rollout of 7. Other 
than the time to do it, it should be fairly painless. (Famous 
last words :P) —Robert Jones 


Q | Sounds like shops on XP don't have any major concerns about migrating to Windows 7, other than 
finding the time to get it done. Has the current economic climate affected your plans in terms of 
| timing for your migration? —Amy Eisenberg 


Not for us. I work for a university and while there have been 
budget cutbacks, we haven't lost a crippling amount from 
IT. Plus, we have a site license for virtually all of Microsoft 
products so cost is not as big of an issue here. We do things on 
a semester basis. Since Windows 7 will be released during the 
fall semester, we will be using the spring semester to get our 
images and final software testing completed. Ifall goes well, 
we should be able to push it out in A ugust of 2010 for use by 
returning and new students in the fall of 2010. We do have a 
plan B, but I hope we don't need it. — Robert Jones 

The key to migration is legacy applications that cannot be 
replaced or upgraded due to the economic situation. If the 
legacy applications work correctly as new machines are 


deployed, we may leave Windows 7 on them and phase it in. 

If legacy applications prove to be a problem we will buy Win7 
licenses and continue with WinXP until we can afford to replace 
or rewrite the applications that don't work. —Mike Johnson 

Dell made an anouncementyesterday that they started releas¬ 
ing Win7 drivers last Friday. I have a 2 year old Latitude laptop 
that I just wiped, installed 32 bit Vista, then upgraded to Win7. 
Wow.... Painless and everything came up.— Chris Muncy 

I have been running Windows 7 for a little over a week now 
on a Dell Latitude D630,64-bit version. It was a breeze to 
upgrade and I have [not] had to load a single driver. All of my 
apps work and it's faster than Vista x64. —Robert Jones 
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Your guide to sponsored resources 

Video: SharePoint 
Virtualized with Hyper-V 

Learn how a dynamically provisioned data 
center can help achieve high availability in a 
virtualized SharePoint environment. In this 
brief video configuration scenario, you'll learn 
how the F5 Management Pack works with 
Microsoft System Center technologies to moni¬ 
tor SharePoint traffic and the whole virtualized 
environment, and then take appropriate action 
to maintain high performance and availability. 
windowsitpro.com/go/VirtualizedSharePoint 

Exchange Server 2010: 
Deploying Unified 
Communications— 

Free online event 

Learn how to turn your Exchange 2010 deploy¬ 
ment into a launch pad to the United Commu¬ 
nications future! Join expert Paul Robichaux on 
December 1 as he presents a clear, insightful, 
and independent look at how your Exchange 
deployment can help you net the benefits of 
Unified Communications. 
windowsitpro.com/go/ 
ExchangeServer2010DeployingUC 


Meeting Compl 
Objectives in SI 


Nance 
harePoint 

In recent years, the business and political land¬ 
scape has seen incredible change with regard to 
the rules and regulations governing the stew¬ 
ardship of electronically stored and processed 
information. Compliance has become critical. 
This white paper aids IT administrators—and 
other stakeholders responsible for managing 
Microsoft SharePoint deployments—in fiLan j 
ning and implementing a comprehend 
reliable, and efficient compliance stral 
appropriate to their organizational nei 
windowsitpro.com/go/Shl^MitcJ 
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Thinking outside the box 
depends on what’s in the box. 

Energy demands in today’s server rooms aren’t simply a matter of costs. They’re increasingly impacting 
day-to-day operations. A recent study found that an estimated half of all businesses have experienced IT 
outages due to power and cooling issues. 1 The entire architecture of the IBM BladeCenter® HS22 is 
designed to give you greater efficiency at every level—from its highly efficient design and Intel® Xeon® 
Processor 5500 Series to its advanced management software, such as IBM Systems Director, which 
actively monitors power consumption, to built-in sensors that optimize cooling. All of which can add up 
to 93% in energy savings over the previous generation of rack servers. Learn how you can see a return 
on your investment in as little as three months 2 at ibm.com/hs22 

Systems, software and services for a greener planet. _ 



Source: IDC Market Analysis #215870, Volume 1, December 2008, Worldwide Server Energy Expense 2008-2012 Forecast. 2 Return on investment and power savings calculation based on 11:1 consolidation ratio scenario of 
166 Intel 1U 2 socket servers to 14 BladeCenter HS22 servers and savings in energy costs, software license fees and other operating costs. Actual costs and savings will vary depending on individual customer configurations and 
environment. For more information, visit www.ibm.com/smarterplanet/claims. IBM, the IBM logo, ibm.com and BladeCenter are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. 
Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml. Intel, the Intel logo, Xeon and Xeon Inside are 
trademarks or registered trademarks of Intel Corporation in the United States and other countries. © International Business Machines Corporation 2009. All rights reserved. 


















Thurrott 

"Microsoft finally has a credible alternative to the 
virtualization market leader, built on top of the 
Windows Server platform you already know." 


NEED TO KNOW 


What You Need to Know About Hyper-V 2.0 


W ith the release of Windows Server 2008 R2 this 
fall, Microsoft is ushering in a surprisingly com¬ 
prehensive update to its core Windows Server 
product. But no Windows Server technology is 
arguably as central to the software giant's strategy 
as the Hyper-V hypervisor-based virtualization 
platform, which has gotten a major makeover in its 2.0 release. Here's 
what you need to know about Hyper-V 2.0. 

Hyper-V 2.0 High-Level View 

Hyper-V 2.0 is available as an installable role in Server 2008 R2 Stan¬ 
dard, Enterprise, and Datacenter Editions. It's also available in the 
midmarket-oriented Server 2008 R2 Foundation Edition and as a free, 
bare-metal standalone server called Microsoft Hyper-V Server 2008 
R2. All of these products are available only in 64-bit versions. 

Hyper-V is a hypervisor-based server virtualization platform. It 
provides the ability to run virtualized client and server guest OSs 
under the host Server 2008 R2 OS (or, in the case of Microsoft Hyper- 
V Server 2008 R2, under that basic host OS), and forms a virtualized 
infrastructure where you can consolidate older servers, deploy and 
manage new server installations, and perform other tasks traditionally 
associated with physical machines. Hyper-V 2.0 has been streamlined 
to run effectively in a variety of environments, from small-to-midsized 
businesses (SMBs) to the largest data centers. 

What's New in Hyper-V 2.0 

Live Migration is arguably the signature new feature in Hyper-V and 
it significantly closes the gap between this solution and VMware's 
more mature virtualization products. Live Migration provides a way 
to move a running virtual machine (VM) from one physical host 
server to another in near real-time, with no service interruption to 
connected clients. 

Hyper-V 2.0's Live Migration functionality works with another new 
feature of the underlying Server 2008 R2 platform, Cluster Shared Vol¬ 
umes, to provide failover capabilities as well. Each server must exist 
within the same failover cluster and access the same shared storage. 

From a scalability perspective, Hyper-V supports heady resource 
allotments, and with this release, the bare-metal Microsoft Hyper- 
V Server 2008 R2 product corresponds to the specifications of the 
broader Server 2008 R2 platform (whereas the first version was far 
more constrained). It supports up to eight physical processor sockets 
(64 for Datacenter Edition), up from four. Processor core support is 
also up dramatically, to 64. The original shipping version of Hyper-V 
supported 16 processor cores, though that was later increased to 24 
via a software update. The maximum number of virtual processors is 


eight times the number of logical processors (essentially equivalent to 
the number of physical processor cores). 

Additionally, Hyper-V 2.0 supports up to 1TB of RAM and up to 16 
cluster nodes. The maximum number of running VM guests is 384, up 
from 192 in Hyper-V 1.0. 

Hyper-V 2.0 also improves virtual networking performance via 
several new networking advances, including VM Chimney, which 
provides TCP offloading functionality that maps virtual network 
traffic to a specific physical NIC. And the Jumbo Frames feature that 
was introduced in Server 2008 is available to VMs as well, improving 
network throughput and reducing CPU utilization. 

The Standalone vs. the Installable Role 

Although Hyper-V 2.0 in free, standalone Microsoft Hyper-V Server 
2008 R2 is largely identical to that in the mainstream Server 2008 R2 
editions, it's also different. Microsoft Hyper-V Server 2008 R2 supports 
clustering, for example, but doesn't include any virtualization rights 
for guest VMs. (Server 2008 R2 Enterprise Edition comes with four VM 
licenses, while Datacenter Edition includes unlimited VM licenses.) 

For admins, the biggest difference is that Microsoft Hyper-V Server 
2008 doesn't include a local administration console. Instead, this free 
server provides a simple command-line-based tool for making simple 
configuration changes only (i.e., setting the machine name and join¬ 
ing a domain). To manage Microsoft Hyper-V Server 2008 R2, you 
need to do so remotely using Microsoft Remote Server Administration 
Tools (RSAT) in Server 2008, Server 2008 R2, or Windows 7. (For the 
latter, a separate download is required.) Or you can use System Center 
Virtual Machine Manager 2008 R2. 

Recommendation 

From a performance and scalability perspective, Hyper-V 2.0 makes 
upgrading a no-brainer for existing customers. But the product is 
particularly compelling for new customers as well. 

Though it's free, Microsoft Hyper-V Server 2008 R2 is now largely 
equal to the functional capabilities of its more expensive siblings, and 
it's the perfect way to get your feet wet with virtualization. Hyper-V 
2.0 is nearly as mature and full-featured as VMware's solutions. With 
Hyper-V 2.0, Microsoft finally has a credible alternative to the virtu¬ 
alization market leader, and it's built on top of the Windows Server 
platform you already know and trust. ^ 

InstantDoc ID 102764 

PAULTHURROTT (thurrott@windowsitpro.com) is the news editor for 
Windows IT Pro. He writes a weekly editorial for Windows IT Pro UPDATE 
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newsletter called Winlnfo Daily UPDATE (www.wininformant.com). 
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Smarter technology for a Smarter Planet: 

Service in the age oi smart assets. 

Smart assets are making it possible to spread intelligence into everything from power lines to railroad lines to 
assembly lines. The challenge is: how do you choreograph the physical and the digital to provide the quality 
services your customers expect and the flexibility your business needs? IBM’s approach to service management 
can help you extend visibility, control and automation through all of your company’s services so you can easily 
modify existing services or quickly add new ones, laying the groundwork for a more dynamic infrastructure. 
We’re helping companies all over the world—20 of the 20 top telcos and 7 of the 10 largest automotive 
manufacturers—reach beyond the datacenter to deliver flexible services in a smarter way. 

A smarter business needs smarter software, systems and services. 

Let’s build a smarter planet, ibm.com/svcmgmt 
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WINDOWS POWER TOOLS 



Minasi 

"Sometimes Set just won't satisfy certain 
needs—that's when you need to graduate to 
the more capable Setx." 


Enhanced Environment Variable Control with Setx 

It's the tool you need when Set doesn't do the trick 


L ast month, I covered some intriguing capabilities of the 
essential Set command (in Windows 2000 and later)— 
namely, convenient methods for soliciting user input 
to a batch file and performing arithmetic on environ¬ 
ment variables. But what about getting data into an 
environment variable in the first place? That speaks to 
the command's more basic uses. And in that regard, sometimes Set 
just won't satisfy certain needs—that's when you need to graduate 
to the more capable Setx. 

Many batch files that utilize an environment variable set its value 
either with a solicitation for user input (as I showed you last month 
with the /p switch) or with a simple Set command: 

set myname=Mark 

That command works fine, but sometimes you need to stuff other 
kinds of things into an environment variable, such as the result from 
a command (e.g., extracting the round-trip time from a Ping state¬ 
ment) or a value in a registry entry. 

For at least 10 years, a resource kit tool called Setx has let you 
do that, and in Windows Vista and later, Setx is built into the OS. As 
you'll see, Setx can be a bit quirky (no surprise to fans of resource 
kit tools), but it can also provide the basis for some powerful batch 
files. 

Suppose, for example, that you want to grab a registry value 
and put it into an environment variable. You need to retrieve the 
name of the organization that your copy of Windows is registered 
to, either for a report or to verify that the organization in the reg¬ 
istry is the correct one. Windows stores that information in the 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ 
CurrentVersion\RegisteredOrganization registry subkey. With the 
command 

setx regorg /k "HKLM\SOFTWARE\Microsoft\Windows NT\ 
CurrentVersion\RegisteredOrganization" 

Setx will extract the value and put it into an environment vari¬ 
able. Setx can grab data from a number of sources—not just the 
registry—but in this case, the /k option directs Setx to the registry. 
At first glance, the string in quotes looks like a registry subkey, but 
it isn't: It combines the name of a registry subkey and the name of 
the value entry inside that subkey whose contents you want Setx 
to store in an environment variable named regorg. If all goes well, 
Setx's output looks like 


Extracted value: "MR&D". 

SUCCESS: Specified value was saved. 

Setx doesn't have an option to suppress this wordy output, but you 
could always block the Setx chatter from appearing onscreen by 
redirecting the output to the nul device: 

setx regorg /k “HKLM\SOFTWARE\Microsoft\Windows NT\ 
CurrentVersion\RegisteredOrganization” >nul 

So, now you have an environment variable named regorg in the 
system. However, remember that "quirk” I mentioned? For reasons 
only Setx's developers know, Setx creates that environment variable 
and populates it—but it doesn't communicate the situation to the 
copy of the environment variable in your current command-line 
window. Therefore, any command that you run in the command-line 
window where you just ran the Setx command won't be able to see the 
value that you just created in the environment variable. For example, 
typing set regorg would yield the error message Environment variable 
regorg not defined. To see the new environment variable value, you'd 
need to open a second command window and run your command. 

Techies who use environment variables know that Windows 
stores some of them in the system's profile and some in the user's 
profile. Typing set from a command prompt shows environment 
variables from both the system and user profiles, with no indica¬ 
tion of any given environment variable's source. To my knowledge, 
there's no way to use the Set command to see only the system- 
related environment variables or the user-related environment 
variables, although you can see the difference by clicking the Envi¬ 
ronment Variables button on the Advanced tab of your computer's 
System Properties page. With Setx's /m option, you get a little more 
control over environment variables that you create. When you use 
the /m option, your new environment variable goes into the system 
profile rather than your user profile. 

If you're writing in-depth batch files, Setx can help you, so it's 
good news that it's "in the box" in recent Windows editions. Next 
month, I'll show you what else it can accomplish. ^ 

InstantDoc ID 102706 
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Otey 

"You can manage your entire 
virtualization infrastructure with VMM, 
including both Microsoft Hyper-V and 
VMware ESX Server virtual machines." 


& 


New Features in Virtual Machine Manager 2008 R2 

Live Migrations, improved storage features, and broader 
management options bolster VMM 


f all the different technologies at Microsoft, there's no 
doubt that none is evolving faster than System Center 
Virtual Machine Manager (VMM). You can manage 
your entire virtualization infrastructure with VMM, 
including both Microsoft Hyper-V and VMware ESX 
Server virtual machines (VMs). You can also create 
and deploy new VMs as well a manage VM states and storage. The 
new VMM 2008 R2 release is designed to take full advantage of the 
recent Windows Server 2008 R2 and Hyper-V R2 improvements. 
Here are the top ten new features in VMM 2008 R2. 

O Live Migration—Without a doubt, the most important new 
feature in VMM 2008 R2 is Live Migration. This feature is the 
equivalent of VMware's VMotion; it lets you move a virtual 
machine (VM) between Hyper-V hosts with no downtime. Live 
Migration requires Windows Server 2008 R2 or Hyper-V Server 
2008 R2. 

O Support for the Clustered Shared Volume (CSV) file system— 

To support Live Migration, Microsoft added the CSV file system 
to Server 2008 R2. CSV lets multiple hosts in a cluster simultane¬ 
ously access a shared LUN. The CSV feature also facilitates easier 
storage management by letting you store multiple VM files on the 
same LUN. 

O Support for hot add/removal of storage—VMM 2008 R2 
supports the hot addition and removal of storage on Hyper-V 
VMs. This new feature lets you add Virtual Hard Disks (VHDs) 
to running VMs and remove VHDs from running VMs with no 
downtime. 

O Rapid provisioning—The new rapid provisioning feature lets 
administrators utilize underlying SAN technologies for clon¬ 
ing VM files, then combines the cloned image with the ability 
to supply a VMM template for customizing the guest OS. Rapid 
provisioning doesn't have a UI. Instead, it's driven by PowerShell 
commands. 

O Quick Storage Migration—VMM 2008 R2's Quick Storage 
Migration lets you move Hyper-V VM storage between differ¬ 
ent LUNs with minimal downtime. Quick Storage Migration 


is particularly useful for taking advantage of CSV storage and con¬ 
solidating your VM files on a shared LUN. Quick Storage Migration 
requires between 20 seconds and a couple of minutes of downtime, 
depending on the size of your VMs and the performance of your 
storage subsystem. 

O Support for VMware Storage VMotion—Closely related to Quick 
Storage Migration is support for VMware Storage VMotion. Stor¬ 
age VMotion lets you move an ESX Server's VM files between 
LUNs with no downtime. Like VMM 2008's support for VMotion, sup¬ 
port for Storage VMotion requires VMware vCenter Server. 

O Support for Veritas Volume Manager—Another new storage- 
related enhancement in VMM 2008 R2 is built-in support for 
Veritas Volume Manager. VMM 2008 R2 recognizes Veritas 
Volume Manager disks as a cluster disk resource. 

O Enhanced iSCSI SAN support—VMM 2008's support for iSCSI 
SANs has been improved so that multiple LUNs can be bound 
to each iSCSI target. This capability provides broader industry 
support for more iSCSI SAN hardware options. 

O Maintenance mode—Maintenance mode lets you specify that 
you're going to perform some type of hardware or OS main¬ 
tenance to a Hyper-V host. When you use maintenance mode 
on a Hyper-V host, all the VMs that are Live Migration-enabled are 
migrated to another host. VMs that aren't configured for Live Migra¬ 
tion automatically have their state saved. 

Host compatibility checks—One of the limitations of moving 
VMs between hosts is the fact that the hosts must have com¬ 
patible processors. Lor example, you can't move a VM from 
a Hyper-V host that uses an Intel CPU to a Hyper-V host that uses 
an AMD CPU. VMM 2008 R2's host compatibility checks verify that 
the CPUs of different hosts are compatible for actions such as Live 
Migration and Quick Storage Migration. ^ 
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, What if 

fragmentation 

never happened? 



E ven a good defragmenter working 
invisibly in the background can’t 
touch a specific hidden source of 
performance loss caused by fragmentation 
that many IT managers are unaware of. Many 
know that all systems suffer from fragmentation 
and that fragmentation bottlenecks the slowest 
component on every computer: the hard drive. 
Automatic defragmentation catches fragments 
soon after they are created and returns files to 
a contiguous state. It’s a reactive fix. 

But what if fragmentation never happened? 


Today's network efficiencies depend on achieving 
greater throughput. If it's bottlenecked, it doesn’t much 
matter how much whiz-bang you threw money at in the 
way of equipment, your productivity suffers. The ability of 
a server, workstation or laptop to generate high I/Os per 
second (IOPS) has become one of the key throughput 
abilities system managers look for when upgrading their 
networks. I/Os are a critical resource and the more effectively 
they are employed toward direct production, the more work 
gets done in the least amount of time. 


The problem worsens with scale. The busier a system or a 
network is, the more fragmentation is being created by 
"diverted” split I/Os and the more overexpansion and 
provisioning is needed to get a job done. 

Introducing Diskeeper® 2010 performance 
technology with IntelIiWrite™ — the first ever 
fragmentation prevention technology. 

Diskeeper Corporation, the inventors of automatic 
defragmentation, has just released a technology that takes 
system performance and efficiency to a previously unattainable 
level. IntelliWrite file prevention technology proactively prevents 
up to 85% and more of the fragmentation a system can 
generate. This technology is completely new and no other 
solution comes close to the benefit IntelliWrite can have on 
every Windows® network. IntelliWrite keeps disks clean and 
fast by intelligently writing contiguous files to the disk. 



An at-a-glance Ul showing how many file fragments were prevented give the IT 
manager an important window on system speed and efficiency gains 


The real damage 

When fragmentation occurs, the system has already 
wasted precious I/O resources by writing files into fragments 
of space on the disk. This cuts into the system's “effective 
IOPS”: system activity that leads directly to a desired 
product, not a preparatory activity needed so productivity 
can occur. This event has tremendous ramifications. As 
a simplified example, if you need 1500 IOPS to get a job 
done in the afforded period of time and your system will 
only give you 1000, you must either buy more hardware 
to get that productivity, do less work, or wait. The more 
I/Os that occur, the more disk head movement, the more 
energy the site consumes and the more cooling is required. 


So, what if fragmentation never happened? Benefits like 
these would become commonplace: 

• More productivity with the safi e hardware 

• Longer cofi puter life 

• Cofi pletely new levels of speed and efficiency 

• Significantly less energy consufi ption including 
cooling requirements 

• Faster file reads and writes 

• Minifi ized/elifi inated data replication traffic and 
storage requirements. 

You can have all this with new Diskeeper 2010. 

Get more information here: 

www.diskeeper.com/2010 


© 2009 Diskeeper Corporation. All Rights Reserved. Diskeeper, “the only way 
to prevent fragmentation before it happens” and IntelliWrite, are registered 
trademarks or trademarks owned by Diskeeper Corporation in the United States and/ 
or other countries. All other trademarks and brand names are the property of their 
respective owners. 


The only way to 
prevent fragmentation 
before it happens.™ 












WHAT WOULD MICROSOFT 
SUPPORT DO? 


Mangipano 


"When no information is output to the system 
about a problem, you can use the debugger 
to identify what's going on in the process." 



Further Adventures in Debugging 

5 tips for tracing the source of problems by using the Windows debugger 


H ow many times have you faced a problem where 
no error information was displayed on screen and 
related logs provided no data to help trace the fail¬ 
ure? To help you solve such problems, I'll provide 
some tips that admins who are new to debugging 
can use as a starting point. I'll demonstrate these 
tips by using an application that I support—Device Manager—which 
you're probably familiar with. I'll spare you the mind-numbing walk¬ 
through of the entire assembly-level debug of this particular prob¬ 
lem and instead offer some basic debugging techniques to help you 
as you cross over into the intangible binary world of debugging. 

Tip 1: Open a process in the debugger. 

When no information is output to the system about a problem, you 
can use the debugger (windbg.exe) to identify what's going on in the 
process. (For more information about getting started using the debug¬ 
ger, see "Administrators' Intro to Debugging," June 2009, InstantDoc 
ID 101818.) Before launching a process in the debugger, you'll need to 
obtain the command line to type into windbg to launch that process. 
You can find the command line by using Process Explorer (technet 
.microsoft.com/en-us/sysinternals/bb896653.aspx); to obtain the 
command line, simply double-click the process, and you'll see the 
command line displayed on the Image tab. 

After opening the Windows debugger from the Debug¬ 
ging Tools for Windows Start menu group, you can launch 
Device Manager by selecting Open Executable from the 
File menu. Enter the command line that you'd normally 
use to start the process. 

Tip 2: Find out as much as you can before 
debugging. 

Before jumping into the debugger, get some basic informa¬ 
tion about the code you want to study. Determining where 
to start debugging often begins outside the debugger. You 
need a way to determine the names of functions related to 
your problem. For example, if your application is reporting 
an error stating it was unable to open a registry key, your goal 
is to identify the function that's used to open registry keys. So 
how do you know what functions are used for different tasks? 
Although the function names provide some clues, you can 
use MSDN to research what calls are available. For example, 
a quick MSDN search on "registry functions" would locate 


the MSDN documentation listing these functions at msdn.microsoft 
.com/en-us/library/ms724875(VS.85).aspx. You'd see that RegOpen- 
KeyEx is the function used to open registry keys. 

You can use the free Dependency Walker tool (depends.exe), 
available at www.dependencywalker.com, to obtain information 
about relevant functions. Dependency Walker displays what DLLs 
a binary uses and the function names that the binary uses from the 
DLL. Obtaining this information is easy: Launch depends.exe, then 
open the binary file that you're troubleshooting via the open com¬ 
mand from the File menu. Dependency Walker will then display the 
names of the functions that this application calls when it executes. 
This information is important to your debugging because it lets you 
identify interesting calls that may be related to the problem. For 
example, if your application is popping up a message stating that 
the network connection attempt failed, you'd search Dependency 
Walker's output for function names that appear related to opening 
network connections. You can then use the debugger to investigate 
these calls as they're made. 

As an example, let's use Dependency Walker to open devmgr 
.dll. This is the binary comprising the code that mmc.exe uses to 
create the Device Manager snap-in. As you can see in Figure 1, 
Dependency Walker shows that devmgr.dll imports various func¬ 
tions related to device enumeration from setupapi.dll. In case you're 


^ Dependency Walker - [devmgr.dll] 
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Figure 1: Viewing devmgr.dll-related functions in Dependency Walker 
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■WHAT WOULD MICROSOFT SUPPORT DO? 


0:000> x devmgr!*Devices* 

72af71a9 devmgrlCMachine::CreatedassesAndDevices = <no type information> 
72aef942 devmgr!CClass::GetNumberOfDevices = <no type information> 

72af0810 devmgr!ViewDevicesMenuItems = <no type information> 

72af65fd devmgrlCMachine::DestroyClassesAndDevices = <no type information> 


Figure 2: Using the x debugger command 


0:000> wt -12 

Tracing setupapi!PNP_GetDeviceList to return address 770edf88 
10 0 [ 0] setupapi!PNP_GetDeviceLi st 

1 0 [ 1] setupapiINdrClientCal 12 

3 0 [ 1] rpcrt4INdrClientCal12 

<0mitting lengthy output> 


Figure 3: wt command output 


wondering how I determined that devmgr. 
dll is the DLL used to create Device Man¬ 
ager, devmgmtmsc is actually an XML file 
that lists devmgr.dll in the text. You can use 
Notepad to open it. 

Tip 3: Set breakpoints. 

Once you start a process in the debug¬ 
ger, the debugger will stop at an initial 
breakpoint during process initialization. 
However, this isn't usually the best place 
to start debugging. Execution of a program 
typically consists of many different assembly 
instructions and function calls. However, 
only a small number of these may be related 
to the problem at hand. You need a way to 
get the debugger to allow the program to 
run until the functions that you've identi¬ 
fied as relevant (by using depends.exe) are 
encountered. To accomplish this, you set 
breakpoints. 

You can set a breakpoint against a func¬ 
tion by using the bp (set breakpoint) com¬ 
mand. Then you use the g (go) command to 
resume execution of the threads in the pro¬ 
cess so that they can continue running until 
something causes the debugger to break-in 
again. Here are the commands and output: 

0:000> bp setupapi!CM_Get_Device_ID_ 

List_ExW 
0:000> g 

Breakpoint 0 hit 

When this breakpoint is hit, you'll be at the 
beginning of the function call that you're 
interested in. In tips 4 and 5, we'll review 
some commands you can run once you get 
to these locations. 

In the previous output, the debugger 
informed us that we've hit breakpoint zero. 
You can list the breakpoints by using the bl 
(breakpoint list) command. We have only 
one breakpoint, which is numbered as zero. 


0:000> bl 
0 e 770edf2d 

0001 (0001) 

0 ■ 

setupapi!CM_Get_ 
Device_ID_List_ 
ExW 

So how can you search for the names of the 
functions that you might want to set break¬ 
points against? The x (examine symbols) 
command can use the symbol information 
to obtain functions and other data matching 
a wildcard pattern. The example in Figure 2 
lists all symbol data matching the wildcard 
pattern *Devices* from the devmgr module. 
You can then set breakpoints against any of 
these functions. 

If devmgr.dll hasn't yet been loaded 
into the process, this command will fail. In 
such situations, you'll need to instruct the 
debugger to halt when a specific module is 
loaded. The following command will cause 
the debugger to break-in when setupapi.dll 
is loaded: 

0:000> sxe Id:setupapi 
0:000> g 

ModLoad: 770e0000 771e8000 c:\ 

windows\system32\setupapi.dll 

Tip 4: Identify call flow. 

Once you've hit your breakpoint, you can 
find out what called the function and what 
the function calls (i.e., call flow) by examin¬ 
ing the stack using the kC (display stack 
backtrace) command. In our example, I ran 
the kC command after hitting a breakpoint 
that I had set against setupapi!PNP_GetDe- 
viceList. Stacks grow upward. This means 
that the top-listed function was the last 
one called. The kC command output will 
show the stack after hitting a breakpoint 
set against setupapi!PNP_GetDeviceList. 
Devmgr.dll has called into setupapi.dll to 
enumerate the list of devices. 

To identify the calls a function makes by 
watching and logging its execution, you can 
use one of the most powerful commands in 


the Windows debugger: wt (watch trace). 
You can run this command from the begin¬ 
ning of a function call; doing so will output 
the calls made by this function to the screen. 
In the example in Figure 3, I used the -12 
parameter to limit the output depth to two 
levels. In this example, setupapi!PNP_Get- 
DeviceList called setupapi!NdrClientCall2, 
which then called rpcrt4!NdrClientCall2. 

Tip 5: Identify whether a function 
call returned an error. 

Once you hit a breakpoint that you set for a 
function, how do you identify whether these 
functions have returned an error code? You 
use the gu (go up) command to return from 
the function, then use the r command to 
examine the return value. 

The gu command resumes execution until 
the current function returns. In this case, the 
gu command runs the PNP_GetDeviceList 
function, then stops breaks-in immediately 
when the function is done. The r (register) 
command outputs the contents of registers. 
$retreg represents the return register, which 
can be used to identify whether a function 
has finished successfully or returned an error. 
We received an error Oxl d from PNP_Get- 
DeviceList(). I located the return value for 
PNP_GetDeviceList documented at msdn 
.microsoft.com/en-us/library/cc239018 
(PROT.lO).aspx: An error occurred during an 
attempt to read the registry. 

Final Steps 

The device manager issue was resolved 
by using the p (step) command to trace 
through the execution of the function. 
The debug trace session showed that 
setupapi!PNP_GetDeviceList had made an 
RPC call directed to interface 8d9f4e40- 
a03d-llce-8f69-08003e30051b. With a little 
help from Process Monitor, I found that 
this RPC call was answered by the function 
umpnpmgr.dll!PNP_GetDeviceList(), which 
was running in the services.exe process. This 
call had failed with NAME_NOT_FOUND 
because of registry corruption. I rebooted 
using the Last Known Good registry con¬ 
figuration. Problem solved! ^ 

InstantDoc ID 102867 

RYAN MANGIPANO is an escalation engineer 
on Microsoft's Global Escalation Services team in 
Las Colinas, Texas. Fie specializes in core Windows 
troubleshooting and advanced debugging. For 
information about Windows debugging, visit 
blogs.msdn.com/ntdebugging. 
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APC Back-UPS ES 750G 
is the energy-conscious 
choice. Save up to $40 pei 
year * on your electric bill. 


SmartShedding 
Technology 


Allows the master outlet to 
sense when your computer 
has either been turned off 
or gone into sleep mode, 
so it can shut off power to 
peripherals plugged into the 
controlled outlets-saving 
.you power and money. , 


Uses up to 5x less power in normal operation than any other battery backup. 


Let's protect what's important. 

What's in your computer? Photos, music, 
personal files, financial data, broadband 
access, videos, and more. Your computer 
has never been more important, and 
yet it has never been at higher risk 
for damaging power surges and other 
disturbances. 

So like most people, you need to protect 
your assets. But like most people, you'd 
also like to protect the environment. With 
our new energy-conscious products, 
you can do both. Energy efficient by 
design, our new smart products protect 
the power going into your computer, 
at a cost that is quickly offset by big 
energy savings. How? Not only do the 
new Back-UPS ES and SurgeArrest 
use power wisely, they also boast a 
master/controlled outlets feature that 
automatically powers down idle devices 
to conserve energy. 

APC power protection products are available at: 





PC Connection 



"The price tag on the new UPS is $99. 

While I'm notin the habit of endorsing 
products in this blog , if you're in the 
market for a workstation-class UPS > why 
not opt for the greener option?" 

- Heather Clancy , 
ZDNet.com 

In fact, while protecting your power 
supply, we're up to five times more 
energy efficient than any other solution. 
By saving you $40 a year in energy costs, 
our Back-UPS ES pays for itself in two 
short years. The high frequency, low 
copper design has a smaller transformer 
and environmental footprint. Even the 
packaging has been carefully selected 
and manufactured to maximize use of 
recycled materials and minimize waste. 

In this world, every decision you make 
counts. So protect your power with a 
battery backup that works to protect the 
environment. It conserves power, pays 
for itself, and is backed by APC's 20-plus 
years of Legendary Reliability. For more 
information on this or our other 
great products, or for information 
about environmentally 
responsible disposal of your old 
battery, visit www.apc.com WB 



Energy-efficient solutions 
for every level of protection: 


Surge Protection 

Starting at $ 34 
Guaranteed protection 
from surges, spikes, 
and lightning. 

7 outlets, phone/fax/modem 
protection, master/controlled outlets 


Battery Back-UPS 

Starting at $ 99 
Our most energy- 
efficient backup for 
home computers. 

10 outlets, DSL and coax 
protection, master/controlled 
outlets, high frequency design, 
70 minutes of runtime* 


APC can help with your other power-protection needs. 

Visit www.apc.com to see our complete line of innovative products 



Enter to Win a Back-UPS ES750G! (A $99 value) 

Also, enter key code to view other special offers and discounts. 

Visit www.apc.com/promo Key Code m777w or Call 888-289-APCC x8245 or Fax 401-788-2797 


Legendary Reliability® 


©2009 Schneider Electric, All Rights Reserved. Schneider Electric, APC, Back-UPS, and Legendary Reliability are owned by Schneider Electric, or its affiliated companies in the United States 
and other countries. All other trademarks are property of their respective owners, e-mail: esupport@apc.com • 132 Fairgrounds Road, West Kingston, Rl 02892 USA • 998-0967 
* Average savings are based on comparable competitive models, and are comprised of two energy-saving features: an ultra-efficient electrical design, and the master/controlled outlets feature. Runtimes may vary depending on load. 










WHEN 

December 10,2009 


WHERE 

Your computer 


COST 

$99 for all 3 lessons 


LESSONS 

11:00 am ET - VMware Virtualization 
Capabilities and the vSphere Platform 

12:30 pm ET - Deploying and 
Managing vSphere 

2:00 pm ET - High Availability and 
Resource Management with vSphere 


HOW 

Register at www.windowsitpro.com/go/ 
elearning/VMwarevSphere 


Explore the major functionality 
capabilities of the vSphere 
virtualization platform, including 
identification of the changes 
from ESX3.5. 

Join MVP John Savill on December 10,2009 for 3 in-depth lessons 
and Q&A sessions on how to ensure that vSphere is deployed and 
maintained in the most optimal way. 

What you'll take-away from this exclusive eLearning series: 

■ Understanding the different types of virtualization available 
and how they are best suited to your organization 

■ Understanding how vSphere is deployed and managed with 
focus on additional capabilities through Virtual Center 

■ Learning about the high availability capabilities of vSphere 
through vMotion and storage migration capabilities, including 
disaster recovery site capabilities 


INSTRUCTOR 

John Savill is the author of the popular FAQ for 
Windows and a contributing editor to Windows IT 
Pro. He is an advisory architect for EMC's Microsoft 
consulting practice. He's an MCITP: Enterprise 
Administrator for Windows Server 2008 and a 
10-time MVP. His latest book is The Complete Guide 
to Windows Server 2008 (Addison-Wesley). 



Learn more about the speaker, lessons, 
and how to reserve your seat at: 
www.windowsitpro.com/go/elearning/ 
VMwarevSphere 
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WinDirStat Simplifies Finding 
Where Your Disk Space Is Going 

When I need to find out why a hard 
drive is running out of free space, simply 
searching for files by size using Windows' 
built-in search capabilities isn't always 
up to the task. I can certainly find the 
largest files on a drive, but they lack 
the context of surrounding files and file 
types. Furthermore, you can't identify 
problems caused by large numbers of 
smaller files. Instead, I prefer to use the 
free WinDirStat directory statistics tool 
(windirstat.info). Inspired by the KDE 
tool KDirStat, WinDirStat is a portable 
application that provides multiple views 
of file-space usage. It's compatible with 
Windows 95 and later. 

The multiple usage views simplify get¬ 
ting a quick overview of disk usage. An 
expandable folder listing shows folder us¬ 
age sorted by size, including percentage 
of space used, absolute size, and number 
of items. An extension listing provides a 
breakdown on usage by extension and 
provides a color key for the file types that 
are displayed in theTreemap view. 

TheTreemap view is what I use to 
quickly get a usage overview. Blocks, 
proportional to size, represent files and 
are arranged so that each larger rectan¬ 
gular grouping is a directory or subdirec¬ 
tory. With a few seconds of inspection in 
WinDirStat, I usually know why a drive is 
getting full. 

One caveat to keep in mind is that 
on Windows 7 and Windows Vista, 
WinDirStat's uninstaller doesn't correctly 
remove the All UsersXStart Menu\Pro- 
grams folder for WinDirStat or the install¬ 
ing user's desktop shortcut. You'll have 
to remove these leftover pieces yourself. 
However, WinDirStat doesn't actually 
need the installation routine, so you can 
just install it once and copy WinDirStat 
.exe and WinDirStat.chm 
to a network location 
or USB drive for mobile 
use. 

—Alex K. Angelopoulos, 

IT consultant 

InstantDoc ID 102794 
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READER TO READER 


Protect AD from Administrative 
Errors 

Imagine that you're the enterprise admin¬ 
istrator of a multidomain Active Directory 
(AD) environment. You're attending a pre¬ 
sentation by your new CIO Steve Johanson 
justifying the sizable IT budget to the share¬ 
holders. The meeting is supposed to start 
in 5 minutes and your CIO can't access his 
presentation on the company SAN. When 
you look up his account to make sure he 
has the necessary access permissions, you 
find that his account is missing. You look 
at the change log and see that your junior 
administrator was supposed to remove the 
account for Steve Johnson, who just retired. 
Then it dawns on you—the wrong user was 
removed. Now it's panic time. Fortunately, 
the CIO knows a few good jokes and can 
entertain the shareholders while you 
reanimate his user account, give him a 
new password, and add him back to all the 
groups in the other domains so he can ac¬ 
cess the presentation as well as the rest of 
his reference material. Fortunately, the CIO 
understands that mistakes happen, but you 
wish it could all have been avoided. 

Most administrators have been in situ¬ 
ations in which a mistake has led to users 
being accidentally deleted, removed from 
groups, or granted access they shouldn't 
have. Although you can purchase expen¬ 
sive AD backup utilities or set up complicat¬ 
ed scripts that let you recover an account in 
only a few minutes, wouldn't it be great if 
you could avoid these types of mistakes all 
together? 

Protecting AD objects from adminis¬ 
trative errors is challenging. One way to 
meet this challenge is to have administra¬ 
tors check each other's changes before 
implementing them. Another way is to use 


third-party tools to automate changes. One 
solution that not many people are aware 
of is to use selective authentication, which 
was introduced in Windows Server 2003, in 
an external trust. 

The selective authentication solution 
takes some work to set up initially, but 
it provides an effective way to audit AD 
changes. When selective authentication is 
enabled, users (in this case, administrators) 
in a trusted domain are explicitly granted 
rights on specific computers in the trusting 
domain, so you can control what resources 
they can access. 

Here's how to set up an AD environment 
for selective authentication: 

1. On the production side of the AD 
forest, set up a lag site that contains one 
domain controller (DC) but no associated 
subnets. Set up a strict replication schedule 
in which you either allow replication at 
very limited times or require all replication 
to be manually triggered. (Turning off all 
scheduled replication on a site link will gen¬ 
erate spanning tree error events on other 
DCs.) The replication limitation is controlled 
through the site link schedule. 

2. Set up a second forest (aka the Ad¬ 
min Forest) that contains two or more DCs 
for redundancy. Place all the administrator 
accounts for which you want to validate 
changes in this forest. 

3. Set up an external trust between the 
two forests. Although the trust can be do¬ 
main based or forest based, you need to set 
it up as a one-way trust, where the outgo¬ 
ing or trusted domain is the admin domain 
and the trusting side is the production AD. 
Instead of using the default authentication 
method, choose the selective authentica¬ 
tion method. 

4. Grant authentication permission. 
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■ READER TO READER 


You now have a group of admin¬ 
istrator accounts in the Admin 
Forest that can see the trust 
to the production forest but 
can't authenticate to any of 
the resources in it. So, you 
need to grant the Allowed to 
Authenticate permission to the 
administrator group on the DC in 
the lag site (aka lag DC). 

5. Grant activity rights. Go through your 
standard delegation procedure to grant 
the administrators the rights they need to 
perform their jobs, such as adding or delet¬ 
ing objects, modifying DNS properties, and 
creating Group Policy Objects (GPOs). 

Selective authentication combined with 
the Allowed to Authenticate permission on 
a single DC forces all changes to happen 
only on that machine. With this setup, 
administrators can perform their duties, 
but any mistakes are restricted to one DC 
in a site that doesn't perform any user 
authentication. The changes remain there 
until the replication schedule permits them 
to propagate. If the replication schedule is 
manual (i.e., no scheduled times for replica¬ 
tion), the changes won't propagate until 
somebody manually releases them. 

This brings us to how to use this solu¬ 
tion. You should separate your administra¬ 
tors into two groups. The administrators 
in one group make changes on the lag 
DC. The administrators in the other group 
regularly look at all the changes that have 
been made on the lag DC. If the changes 
are acceptable, they force a replication into 
the live environment. If the changes aren't 
valid, contain mistakes, or violate company 
policy, they inform the administrator who 
made the changes so that he or she can 
remedy the situation. 

So, how does a verification administra¬ 
tor check the changes? In Windows 2003 
and earlier, the easiest way is to have Audit 
DS Changes enabled in the DC's audit 
policy.This allows all changes made on 
the DC to be recorded in the security log. 
Because all changes are being made on a 
single DC, the verification administrator just 
has to look at one log and search for any 
change events that have occurred since the 
last replication. 

Windows Server 2008 introduced some 
better tools for reviewing directory service 


changes, such as Dsmain. With this 
tool, you can mount an LDAP 
database created in a backup (or 
created using the Ntdsutil utility), 
then use a script to compare all 
objects between the offline LDAP 
backup and the live lag-site forest, 
thereby letting you see all 
changes that have yet to 
propagate. Server 2008 
also has enhanced event 
auditing, which lets you 
see more information about changes and 
create custom views to show only changed 
objects. 

There are also third-party audit tools 
that you can use. These tools let you 
capture changes in real time and com¬ 
pare different databases on different DCs, 
providing an easy way to see what has 
changed. 

Had the selective authentication solu¬ 
tion been in place, the opening scenario 
would have played out differently. Here's 


what would have happened: The junior 
administrator sees he needs to delete the 
account for Steve Johnson, so he logs on 
to the Microsoft Management Console 
(MMC) Active Directory Users and Com¬ 
puters (ADUC) console in the Admin Forest 
using his account, which is also in the 
Admin Forest. He navigates to the produc¬ 
tion forest and tries to connect to a DC. 
Because selective authentication is being 
used in an external trust, he can only con¬ 
nect to the lag DC—all other DCs give him 
an access denied message. He searches for 
Steve Joh* and accidentally deletes Steve 
Johanson on the lag DC. At this point, the 
mistake is made, but it's confined to the 
lag DC. 

The verification administrator logs on 
to the production forest and looks at the 
changes made on the lag DC. He notices 
that the account for CIO Steve Johanson 
has been deleted. Instead of replicating 


the change to another site and allowing it 
to spread throughout the forest, he simply 
contacts the junior administrator about the 
problem. He also takes the lag DC offline 
until after the CIO's meeting is over. The 
CIO can access his resources and won't 
know about the mistake until he sees the 
monthly status report—at which point he 
will thank you profusely. 

Note that there are a few caveats when 
using this solution: 

• The chances of an erroneous DS change 
impacting the production environment 
have been mitigated but not eliminated. 
A verification administrator might miss 
seeing a problem and propagate an er¬ 
roneous change.This is especially likely if 
there are a large volume of changes be¬ 
ing made. Verification administrators can 
get caught up in the number of events 
and not look at them as closely as they 
should. 

• The domain and enterprise administra¬ 
tor accounts still exist in the production 


forest and can make changes. So, if they 
really want to, administrators could cir¬ 
cumvent the system and make changes 
directly on any DC in the production 
forest instead of on the lag DC. 

Although these caveats exist, they're 
offset by the solution's potential benefits. 
Besides the obvious one (i.e., reducing the 
chance that an erroneous change impacts 
the production environment), the benefits 
include the following: 

• You have a straightforward way to audit 
and report on heritage object changes 
(especially if you use Server 2008) be¬ 
cause every change takes place on one 
DC. 

• You add a bit of protection against ac¬ 
count compromise. If an administrator 
account is compromised, the scope is 
restricted to the lag DC. So, all you need 
to do is wipe the lag DC and Admin For- 



Had the selective authentication 
solution been in place, the opening 
scenario would have played out 
differently. 
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[/DP <FQDN>] 


fully qualified domain name of directory partition 
where zone should be stored; or use one of: 
/DP /domain - domain directory partition 
/DP /forest - forest directory partition 
/DP /legacy - legacy directory partition 


Figure 1:The Help information for Dnscmd's/dp switch 


est DCs clean, which is much 
less work than rebuilding AD 
and all its data. 

Obviously, this solution 
isn't well-suited for a large 
multinational forest because 
it would create a tsunami of 
change verifications. It's also not 
well-suited for a call center Help 
desk that does password resets because 
the new passwords need to be immediately 
available to users. 

However, this solution is well-suited for 

• Organizational units (OUs) that contain 
highly visible accounts, such as the CIO's 
account. 

• Small AD environments in which un¬ 
trained staff work as AD administrators. 

• Small AD environments in which an er¬ 
roneous change can be catastrophic. 

• Probationary administrators. (You can 
make sure that they know what they're 
doing before you let them loose.) 

• Administrators of critical services, such as 
DNS. 

• Configuration administrators of line of 
business (LOB) applications that store 
data in AD, where a mistake will make 
the application nonfunctional. 

Using selective authentication in an 
external trust provides an effective solution 
for protecting AD objects from adminis¬ 
trative errors. Although it requires some 
upfront work to set up, it can save you a lot 
of grief later on. As an advanced Microsoft 
feature, selective authentication is one 
more security tool that you can pull out of 
your bag of tricks. 

—James R. Day, senior system engineer, NuAxis 

InstantDoc ID 102765 

Dnscmd Versions Discrepancy 

You can automate creating an Active 
Directory (AD)-integrated zone with forest¬ 
wide replication using the Dnscmd utility. 


However, you must use version 
5.2.3790 or later of the Dns¬ 
cmd utility, which you can 
find in the Windows Support 
Tools for Windows Server 
2003 (32-bit). 

If you're using the 
correct version of Dnscmd, 
the following command 
will create a new AD- 
integrated zone through a 
server named DNSSERVER: 

dnscmd DNSSERVER 

/zoneadd 80.16.172.in-addr.arpa 
/dsprimary /dp /forest 

Unfortunately, if you try to use this same 
command with version 5.1.2600 of Dnsc¬ 
md, which is in the Windows Support Tools 
for Windows XP, Dnscmd will silently ignore 
the /dp switch. Furthermore, this version of 
Dnscmd will set the 
zone to replicate only 
to domain control¬ 
lers (DCs). If you have 
any DNS servers 
that aren't DCs, they 
won't receive replica¬ 
tion updates. (Al¬ 
though this sample 
command creates 
a reverse zone, the 
problem pertains to 
creating both reverse 
and forward AD- 
integrated zones.) 

If you're trying to 
automate zone cre¬ 
ation from the com¬ 
mand line or a batch 
file, you can't use the 
command-line Help 
file to ensure you 
have the correct ver¬ 
sion of Dnscmd. Both 
versions claim to 


support the directory partition syntax and 
will show the Help information in Figure 1 
for the/dp switch. 

Despite what the command-line Help 
file states, version 5.1.2600 of Dnscmd 
will neither set up forest-wide replication 
nor replicate to non-DC DNS servers. So, if 
you're working from an XP system, check 
the version of Dnscmd you have before 
creating a DNS AD-integrated zone. As 
Figure 2 shows, you can find the version on 
Dnscmd's properties page. If you don't have 
version 5.1.2600 or later and you don't have 
the Windows Support Tools for Windows 
2003 (32-bit), you can download Dnscmd 
from the "Windows Server 2003 Service 
Pack 1 32-bit Support Tools" web page 
(www.microsoft.com/downloads/details 
.aspx?familyid=6EC50B78-8BE1-4E81 -B3BE- 
4E7AC4F0912D&displaylang=en). ♦ 
—Rick Sheikh, IT consultant 
InstantDoc ID 102795 



Figure 2: Finding the version of Dnscmd 
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■ User Rights 

■ Outlook 


■ Hyper-V 

■ Windows 7 


ASK THE EXPERTS ■ 


ANSWERS TO YOUR QUESTIONS 



Q: How can I configure and 
manage Windows user rights from 
the command line? 

A: You can use the ntrights utility to grant 
or revoke Windows user rights to users 
and groups on a local or remote computer. 
You can configure both logon rights and 
privileges with the ntrights utility, which 
is included in the Windows Server 2003 
Resource Kit and the Windows 2000 Re¬ 
source Kit. For example, to grant Service- 
Accountl on computer MyComputer the 
Logon as a service right, you must run the 
command 

Ntrights +r SeServiceLogonRight -u 
ServiceAccountl -m \\MyComputer 

To revoke the Everyone group's right to 
Access this computer from the network, 
run the command 

Ntrights -r SeNetworkLogonRight -u 
Everyone 

To display the user rights that have been 
assigned to the account you used to log 
on to a Windows system, use the whoami 


command line tool with the /priv switch. 
Whoami is included in the Windows 2000 
Resource Kit and undled with Server 2003, 
Windows Vista, and Windows Server 2008. 

You can use the ShowPriv utility to dis¬ 
play a list of which users and groups have 
been assigned a particular user right on 
your systems. ShowPriv is included in the 
Server 2003 Resource Kit and the Windows 
2000 Resource Kit. Showpriv Selnterac- 
tiveLogonRight will, as an example, let 
you find users and groups that have been 
assigned the Log on locally logon on your 
system. 

—Jan De Clercq 

InstantDoc ID 102499 

Q: How can I send calendar 
information from Outlook to a 
mobile phone using SMS? 

Al In another column, InstantDoc ID 
102160,1 looked at the Microsoft Outlook 
Mobile Service (OMS), which allows users 
to send SMS messages to mobile phones 
using an SMS Service. Within the OMS con¬ 
figuration settings, if added to an Outlook 
profile, is the option to send calendar data 
to an SMS-enabled mobile device. People 
in an organization who don't come to the 
office every morning, and who don't use 
an alternative synchronization application 
or protocol such as ActiveSync, should find 
this feature particularly useful. 

When you install OMS, it adds com¬ 
mands to the standard Office Outlook 
2007 menus. A section labeled Mobile is 
added to the Preference tab under Tools, 
Options. Click Notifications to open the 
Outlook Mobile Notification dialog box. 



William Lefkovics | william@mojavemediagroup.com 
John Savill | jsavill@windowsitpro.com 
Jan De Clercq | jan.declercq@hp.com 


Q. Does a pass-through disk for 
Hyper-V have to be direct at¬ 
tached storage on the Hyper-V 
host? 

Al No. A pass-through disk is any 
storage that is accessible to the Hy¬ 
per-V server, such as direct attached 
or a LUN on a Storage Area Network. 
Remember that regardless of where 
the storage is, it must be offline on 
the actual Hyper-V server before the 
guest can be configured to access it 
via pass-through. Also remember that 
the entire disk is mapped to a guest, 
not a volume on the disk. Finally, the 
disk must be initialized before it can 
be used for pass-through, so if the 
disk isn't initialized then initialize it 
on the Hyper-V host then place it in 
an offline status so it can be used for 
pass-through. 

Normally you use Virtual Hard 
Disks for virtual machine storage. 
When configured as fixed size, 

VHDs perform almost identically to 
pass-through storage, and you lose 
features such as snap-shotting when 
using pass-through, so always try and 
use VHD above pass-through. 

—John Savill 

InstantDoc ID 102562 


At the bottom of this dialog box is a check 
box you can select to send a copy of the 
daily calendar to a wireless number using 
SMS. Note that this feature sends the next 
day's calendar. The drop-down box where 
you select the time isn't customizable— 
you must choose a time from a list that 
incorporates 30 minute increments on the 
hour and on the half-hour. 

On the receiving end, the user will see 
by default a single SMS message for each 
calendar item sent. If there are six meet¬ 
ings, then the user should receive six SMS 
messages for the day. To send without 
this separation, uncheck the check box 
next to Send one single mobile message 
per appointment or meeting request. 
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Windows7 Starter 


Next 





Collecting information 

—x Installing Windows 
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Figure 1: Windows 7's version select screen 


This will use up all 160 
characters of an SMS 
message before adding 
another. Either way, a 
full daily calendar may 
be spread over many 
SMS messages. This is 
important if your SMS 
service plan charges 
per message. 

There's an option to 
exclude all-day events; 
these events often 
don't have a specific 
location or require¬ 
ment for user response. 

By default, recurring 
events with instances 
on the weekend are 
omitted. Finally, the 
calendar items sent to 
the mobile device can 
be restricted by the 
time of the appoint¬ 
ment. By default, this 
feature sends only 
calendar items falling 
between the common 
office hours of 9 A.M. through 5 P.M. If you 
schedule the calendar appointments to 
be sent at 5 A.M. it will send the next day's 
calendar, not the current day's appoint¬ 
ments, to the user. This is the only mistake 
I've seen administrators make with this 
feature. 

—William Lefkovics 

InstantDoc ID 102337 

Q. Do I need to download all the 
different versions of Windows 7 
from MSDN? 

A: MSDN provides a different ISO for 
each version of Windows 7 (e.g. Ultimate, 
Professional, Starter) but they're all the 
same ISO. The only difference is that there's 
a file (ei.cfg) in the sources folder that tells 
the setup routine which image to select. 
You could, therefore, open the ISO, remove 
this file, and save the ISO. When you install 
from this ISO, you'd be prompted for which 
version of Windows 7 you want to install, 
as shown in Figure 1. You do, however, 
still need to download the x64 and x86 
versions of Windows 7 if you want both the 


32-bit and 64-bit versions. 

You could also create multiple ISOs 
and modify the content of ei.cfg. The 
format is 

[EditionID] 

<version> 

[Channel] 

Retai1 

[VL] 

0 

So just change <version> to Ultimate, Pro¬ 
fessional, HomePremium, HomeBasic, or 
Starter. See Microsoft's site at tinyurl.com/ 
Ihhvgl for more information on ei.cfg 

—John Savill 
InstantDoc ID 102658 

Q: Does Microsoft provide a 
mechanism to restrict which 
administrators can manage a 
particular Hyper-V virtual machine 

(VM) ? I want to make sure that VM 
administrators can only manage 
their VMs and can't touch the 
parent partition. 


A! You can use the Authorization Man¬ 
ager (AzMan) to define specific roles for 
VM administrators on a Hyper-V server, 
and to ensure that they have permissions 
only for their respective VMs. 

Microsoft first introduced AzMan in 
Windows Server 2003 so that developers 
and administrators would be able to add 
role-based access control (RBAC) rules to 
their applications more easily. Unfortu¬ 
nately, few Windows administrators have 
used AzMan and knowledge about how 
to configure it is fairly rare. For an excel¬ 
lent description of how to set up AzMan 
for delegating permissions on a Hyper-V 
server, see the blog at tinyurl.com/nsdksb. 

In this context, it's worth mentioning 
System Center Virtual Machine Manager 
(VMM), Microsoft's enterprise manage¬ 
ment solution for virtualization servers 
and VMs. VMM reduces the complexity 
of configuring and managing AzMan 
authorization rules. More information 
about VMM is available on Microsoft's site 
attinyurl.com/6reqdn. ^ 

—Jan De Clercq 
InstantDoc ID 102497 
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TOP 8 REASONS 

for Implementing End-to-End Site 
Recovery Solutions Using Windows 
Server® 2008 with Hyper-V™ 

Virtualization has changed the way IT looks at cross-site disaster recovery. In the past, ensuring cross¬ 
site business continuity required a significant investment in hardware and software, including dedi¬ 
cated physical servers and storage infrastructure at multiple sites. With virtualization, you can reduce 
the amount of dedicated hardware required and the associated investment. Businesses that have 
committed to implementing Site Recovery (SR) solutions can gain greater value for their investment. 
And for companies previously unable to justify investment in SR, the return on investment can be 
significantly improved. 

1. Integrated end-to-end solutions 

Along with leading storage providers, Microsoft is delivering end-to-end site recovery solutions that 
leverage Windows Server® 2008 Failover Clustering, FHyper-V™, and integrated physical and virtual 
management through the System Center suite—including Microsoft System Center Virtual Machine 
Manager 2008 (VMM). By combining FHyper-V, Failover Clustering, and integrated management with 
storage partner data replication, Microsoft virtualization customers achieve robust, high-value, cost- 
effective site recovery solutions. 

2. Connecting geographically dispersed sites 

Clustering technology in Windows Server 2008 has been improved and redesigned; new features 
make it simpler to implement and use. By utilizing stretch clustering, IT Professionals ensure the avail¬ 
ability of their host infrastructure between locations. Working with storage partner data replication, 
Microsoft delivers site recovery failover across geographic areas to protect against catastrophic failure 
at a primary location. With greatly expanded support for failover clusters, VMM 2008 improves its high 
availability capabilities for managing mission-critical virtual machines. VMM 2008 is now fully cluster- 
aware, meaning that it can detect and manage FHyper-V host clusters as a single unit. Managing VMs 
through VMM is completely seamless and managing highly available VMs is the same as managing 
VMs on a stand-alone system. 


3. Build on existing skills and investment 

Microsoft customers have been using Windows clustering technology for more than a decade. And 
with the release of Windows Server 2008 and FHyper-V, with failover clustering, Windows Server users 
have the tools in hand for implementing site recovery solutions that extend their existing investment 
in a Windows Server IT environment. Although users can choose manual-only failover, Windows Server 
clustering supports automatic failover and failback between primary and recovery sites, a solution that 
achieves a low Recovery Time Objective (RTO). 
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4. Integrated management for physical and virtual 
environments 

The Microsoft System Center suite provides integrated management for physical and virtual environ¬ 
ments—from core components such as Microsoft Systems Center Operations Manager, which you 
can use to provide overall operational information about your computing environment, to specific 
tools such as Microsoft System Center Virtual Machine Manager 2008, which simplifies migration to, 
and management of, virtualized environments. To ensure business continuity VMM also offers Perfor¬ 
mance and Resource Optimization (PRO), dynamically responding to failure scenarios and situations 
where performance is not optimized or to poorly configured components identified in hardware, op¬ 
erating systems, or applications. This is beyond simple alerting; PRO can perform a range of tasks 
including load balancing and automated migration of virtual machines to a different physical host. 

5. Other features in Windows Server 2008 R2 

With the high availability capabilities built into Windows Server, you can design an infrastructure that 
provides a robust, reliable shared-storage solution that offers built-in redundancy and tight integra¬ 
tion with virtualization. For example, the Microsoft MPIO framework provides high availability and 
dynamic load balancing to SAN devices through redundant network or fabric connections. Microsoft 
MPIO dynamically routes 10 to the best path and protects against failures at any connection point 
between a Plyper-V host and shared storage. 


SIMPLIFY AND 
ACCELERATE WITH 
MICROSOFT 
VIRTUALIZATION 
SOLUTIONS 



6. Ability to leverage Live Migration support 

With the support for virtualization and stretch clustering in Windows Server Failover Clusters in Win¬ 
dows Server 2008 and the Live Migration support added by Microsoft System Center Virtual Machine 
Manager you already have the ability to do live migration not just between servers (physical or virtual) 
in the same datacenter, but between sites as well.This is a key component for a business continuity or 
disaster recovery solution. It's also a practical solution to the problem of migration to new or upgraded 
datacenters, or data center consolidation concerns. 


HOW FAR 
WILL YOU TAKE 
VIRTUAL? 


7. Versatile partner ecosystem 

A broad range of companies are partnering with Microsoft to offer solutions that build on and extend 
the capabilities of Windows Server 2008 to deliver end-to-end site recovery solutions. Solutions from 
Microsoft's extensive partner ecosystem leverage the capabilities of Windows Server 2008 R2 Flyper-V 
Failover Clustering and the System Center suite to provide integrated solutions for dispersed multi-site 
environments. Failover Clustering and Microsoft's partner ecosystem have been in place a long time 
and have proven to be a successful combination for many types of workloads. 

8. Business benefits 

Taking full advantage of Flyper-V along with failover clustering technologies already available in the 
Windows Server software means that you can deploy a much more flexible business server infrastruc¬ 
ture, at little to no additional expense. Making use of Windows Server 2008 Failover Clustering and 
virtualization with Flyper-V gives Windows Server IT departments the ability to deploy, manage, and 
maintain highly available and cost-efficient server systems that are flexible and effective at addressing 
ongoing business needs. 
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Dig out these 
little-known 
Active Directory 
Tools 

by Sean Deuby 


ike any complex system, Active Directory (AD) and its 

L related support tools have numerous commands and 
techniques to make administration a bit easier and 
more efficient. As you acquire AD skills and knowledge, 
your toolkit will grow larger and you'll branch into using 
less-well-known tools and methods. In this article I 
present several AD nuggets you might not have discovered yet. 


.wsf, and RestoreALLGPOs.wsf. From an AD administrator's view¬ 
point, we're most interested in BackupAllGPOs to back up all the 
GPOs in a domain and RestoreGPO to restore a single GPO. 

The scripts are written in either VBScript or JScript. If cscript 
.exe isn't your default scripting host, you'll need to explicitly specify 
cscriptexe on the command line. To back up all the GPOs in your 
domain, navigate to the script directory and run 


Free GPO Disaster Recovery 

Backup and recovery is a key area any AD administrator must pay 
attention to. But just instituting a domain controller (DC) backup 
and recovery plan isn't enough. You also need a separate backup 
and recovery plan for Group Policy. Unlike DCs, Group Policy 
Objects (GPOs) are typically delegated to a larger group of organi¬ 
zational unit (OU) administrators, rather than just the overall AD 
service administrators. The more people who work with GPOs— 
especially relatively inexperienced admins—the greater the chance 
that a GPO will be accidentally (or intentionally) altered or deleted. 
Because changes to a production GPO almost always affect multiple 
users, restoring the GPO quickly is a high priority. You can restore a 
GPO from DC backups, but the process can be slow and obtrusive. 

Setting up basic GPO backup and recovery is easy. Group Policy 
Management Console (GPMC), which is included in Windows 
Server 2008 and Windows Server 2008 R2 and available as a down¬ 
load for Windows Server 2003 (at http://bit.ly/4DpDVp), has a great 
library of 32 sample scripts to perform Group Policy maintenance. 
After you install GPMC in Server 2003, these scripts are located in 
C:\Program Files\GPMC\Scripts. Although Server 2008 and R2 no 
longer include the scripts by default, they will work with these OS 
versions. You can download the scripts from Microsoft at http://bit 
.ly/ljef98. In Server 2008 and R2, the scripts will install in C:\Program 
Files\Microsoft Group Policy\GPMC Sample Scripts. All the scripts 
let you perform various useful operations on GPOs; but the backup 
and recovery scripts we're interested in for the purpose of this dis¬ 
cussion include BaclcupGPO.wsf, BaclcupAllGPOs.wsf, RestoreGPO 


Cscript backupallgpos.wsf <Backupl_ocation> 

[/Comment:<Comment>] [/Domain:<DNSDomain>] 

The script will back up all the GPOs in your domain to the loca¬ 
tion you specify and create subfolders for each GPO, named by 
the 128-bit GUID that uniquely identifies the GPO. Once you've 
backed up all the GPOs, you can use RestoreGPO.wsf to restore 
them individually: 

Cscript restoreGPO.wsf cbackup location> <GP0 name> / 
domain:<DNSDomain> 

Although these scripts will back up and restore both the GPOs in AD 
and the Group Policy templates on SYSVOL, they don't back up or 
restore the links between the GPOs and the OUs they're applied to. 
You must track these links separately, or you can use the ListSOM- 
PolicyTree.wsf script to list the relationships between the GPOs and 
the site, domains, and OUs they could be linked to. 

Monitoring FRS 

An area related to Group Policy is SYSVOL, the folder structure on 
every DC that contains the domain's Group Policy templates and 
logon scripts. A replication mechanism—File Replication Service 
(FRS) in Server 2003, Distributed File System Replication (DFSR) 
in Server 2008 and R2—ensures that the SYSVOL structure stays 
synchronized between all the DCs in a domain. Using DFSR for 
SYSVOL replication is a huge improvement over the trouble-prone 
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FRS replication method. However, because 
DFSR requires both Server 2008 and a 
manual FRS-to-DFSR upgrade process, 
the majority of production domains still 
run FRS. 

You should monitor FRS for two reasons. 
First, a properly functioning SYSVOL is criti¬ 
cal to a healthy domain. However, most AD 
administrators don't proactively check or 
monitor FRS—partly because FRS Event 
Log messages are infrequent and not espe¬ 
cially informative, and partly because FRS 
problems take a while to surface. Second, 
you need to ensure that FRS is functioning 
properly before you attempt an upgrade to 
DFSR replication, or you might corrupt your 
SYSVOL. 

Microsoft has an FRS monitoring tool 
called Ultrasound, which you can download 
at http://bit.ly/gMy6S. An unusual name for 
a Microsoft utility, the tool was christened 
Ultrasound because it was the successor 
to a simpler tool named Sonar. (Don't ask 
me how Sonar got its name.) Ultrasound 
consists of three major components. One 
component is a small Windows Manage¬ 
ment Instrumentation (WMI) provider that's 
installed on every DC. It gathers FRS status 
information and sends it to the next compo¬ 
nent: the Ultrasound controller. This compo¬ 
nent consists of a service and a database that 
holds the FRS status data the controller pulls 
from the monitored servers. The database 
can be either Microsoft SQL Server Desktop 
Engine (MSDE—which you can download 
at http://bit.ly/20HiM) or SQL Server, and 
it doesn't have to be on the same system as 
the controller. The final component is the 
Ultrasound administrator's console, which 
must be installed on the same system as the 
controller component. This is where you 
can add and remove 
members (DCs) that 
are being monitored 
and view the general 
health of the moni¬ 
tored FRS set. You 
can also drill down 
into a great level 
of detail. Because 
the administrative 
console is limited 
in where it can run, 
keeping it constantly 
open for operators 
is inconvenient and 


probably unnecessary. I recommend that 
you install it, use it to clean up any existing 
SYSVOL replication problems, then revisit it 
once a week. Although Ultrasound has been 
around for a while, and it has the unique 
look and feel of a tool that grew out of Micro¬ 
soft's Product Support Services (PSS) group, 
it gets the job done. 

NTDSUTIL Scripting 

We all use NTDSUTIL for relatively com¬ 
mon tasks, such as metadata cleanup from 
unplanned DC failures. But did you know 
that you can build simple scripts to run 
NTDSUTIL actions in the task scheduler 
or interactively? Simply list the NTDSUTIL 
commands one after another on a single 
line. If the command has multiple argu¬ 
ments, enclose them in quotes. 

A good script example is the AD snapshot 
feature available in Server 2008. This feature 
lets you use the Volume Shadow Copy Ser¬ 
vice (VSS) to create a snapshot of a domain's 
data. You create the snapshot with the NTDS¬ 
UTIL "snapshot" command. You can then 
use this information to quickly restore an 
object and all its attributes (including the 
hard-to-restore backlinks such as mem- 
berOf), through a combination of tombstone 
reanimation and PowerShell scripts. 

For the snapshot feature to be useful, 
however, you must take snapshots on a regu¬ 
lar basis. NTDSUTIL scripting lets you easily 
do so with the following one-line script: 

Ntdsutil snapshot “activate instance 
ntds” create quit quit 

Figure 1 shows the output from running this 
script. Add this script to Task Scheduler in a 
batch file. Similarly, you can create a script 
to view all the available snapshots, which 


is useful when you're in a hurry to restore 
an object: 

Ntdsutil snapshot "act inst ntds 
"list all" quit quit 

You can then quickly look through the 
listings to determine which snapshot you 
want to mount with the database mounting 
tool (dsamain.exe, available at http://bit 
.ly/X4prc). 

Preventing Accidental 
Deletion of OUs 

Much of an AD administrator's job involves 
one simple task: preventing accidental dele¬ 
tion of AD objects. The difficulty of this task 
is directly related to the number of people 
who have rights in the domain. A good AD 
security model includes some speed bumps 
to minimize this risk. Although these prac¬ 
tices don't constitute a complete solution 
by themselves, the "defense in-depth" prin¬ 
ciple ensures that their cumulative effect will 
make the domain a little safer. 

One such speed bump is using AD's own 
access control to prevent accidental deletion 
of OUs. Although security principals (users, 
groups, and computers) in an OU come 
and go, OUs are part of an organization's 
structure and are rarely deleted. Starting 
with Server 2008, the Microsoft Directory 
Services Team made it easy to do what 
experienced AD admins had already been 
doing on their own: setting a Deny ACE (i.e., 
access control entry) on objects to prevent 
them from being inadvertently deleted. 

In the Microsoft Management Console 
(MMC) Active Directory Users and Com¬ 
puters snap-in, you can enable a setting to 
protect an object from accidental deletion, 
as Figure 2 shows. This check box, located 



Figure 1: Running an NTDSUTIL script to take regular snapshots 
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Figure 2: Preventing accidental deletion of an object 


in the OU Properties page's 
Object tab, sets Deny ACEs 
for the Delete and Delete 
Subtree permissions for the 
Everyone group. The check 
box must be clear for a dele¬ 
tion to take place. 

You need to be aware of 
a few details when using this 
feature. First, this check box 
applies only to OUs. You can 
create, modify, and delete 
security principals in the OU 
with no problem. Second, the 
feature lacks inheritance—in 
other words, if you enable the 
feature for the top-level OU 
of an OU structure, it applies 
only to the OU for which 
you enabled it, not the OUs 
beneath that one. Although 
you can use .NET to write a script to apply 
the feature to other OUs, unless you have a 
particularly large OU structure, selecting the 
check box manually will probably take less 
time than writing (and exhaustively testing) 
a script. Because this feature sets a Deny 
ACE, you can apply this protection to any 
object in AD, but only the New OU wizard 
features an easy-to-use check box. 

Attribute Access for 
Everyone 

One of the AD challenges that 
small and medium-sized com¬ 
panies face is correctly popu¬ 
lating data without the use of 
expensive add-on tools. AD is 
pre-populated with an attribute 
for practically everything you 
can think of—and a few things 
you can't (e.g., Telex-Number). 

The employeelD attribute is 
intended to store an employee's 
unique ID number. However, 
there's no place in Active Direc¬ 
tory Users and Computers where 
this attribute is exposed. An HR 
staff member or account admin¬ 
istrator adding a new employee 
must use command-line tools 
such as dsmod or joeware's 
admod. Most account adminis¬ 
trators aren't comfortable work¬ 
ing with distinguished names 
(DNs), so a simple UI solution 


would be nice. Fortunately, an update to 
Active Directory Users and Computers for 
Windows 7 and Windows Vista provides 
an answer. The Remote Server Administra¬ 
tion Tools (RSAT) for Vista (http://bit.ly/ 
cnwzD) or Windows 7 (http://bit.ly/TYGxd) 
features an updated version of Active Direc¬ 
tory Users and Computers (dsa.msc) with a 
welcome new feature: the Attribute Editor. 

The Attribute Editor adds a key bit of func¬ 
tionality that's in ADSIEDIT or the LDP edi¬ 


tor, but not in the familiar Active 
Directory Users and Computers 
interface: You can edit any AD 
object attribute, not just the ones 
the Active Directory Users and 
Computers interface tradition¬ 
ally exposed. Using our previous 
scenario, Figure 3 shows how to 
add an employee ID number to 
the new employee Sosumi Areti 
(the new staff Liability Direc¬ 
tor). By default, the Attribute 
Editor shows only a subset of all 
attributes for the object. You can 
filter the attribute list by whether 
they have values, are writeable, 
are mandatory or optional, are 
constructed, are backlinks, or 
are system-only. The ability to 
expose a constructed attribute 
can be very handy; if you're using 
fine-grained password policies in Server 
2008, you can expose the effective password 
setting (effectivePso) for a user. Doing so is 
analogous to looking at the resultant set of 
policies for a user if you want to see what 
GPOs are affecting the user. 

In addition to installing on Windows 7 
or Vista, the Attribute Editor requires that 
you upgrade your Server 2003 forest schema 
to Server 2008 to update the forestwide 
display specifiers. An alternative manual 



Figure 3: Adding an employee ID number 
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■ AD NUGGETS 


workaround is available 
at http://bit.ly/ysFPl. 

Note that the RSAT 
installation works dif¬ 
ferently in Windows 7 
and Vista than in Win¬ 
dows XP and Server 2003. 
When you install the 
toolset, the Start menu 
doesn't change—nothing 
appears to have installed. 
To make the tools appear, 
open the Control Panel 
Programs and Features 
applet, select Turn Win¬ 
dows features on or off 
select Remote Server Ad¬ 
ministration Tools, Role 
Administration Tools, and 
drill down to the Active 
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Figure 4: Using Active Directory Sites and Services to disable replication 


Directory Domain Services (AD DS) tools. (I 
encountered an R2 bug that requires you to 
check each tool individually, which I hope is 
fixed in RTM.) Finally, check the Advanced 
section of the View menu to see the Attribute 
Editor. 

Controlling Replication 

Although AD replication typically works well 
without administrator intervention, every 
AD administrator should know how to con¬ 
trol it manually. Suppose that you acciden¬ 
tally delete an object and don't notice it right 
away. Being able to quickly stop replication 
outside your site will prevent the deletion 
from affecting outside users. Several replica¬ 
tion control methods are available. 

The best-known method is to use Active 
Directory Sites and Services (dssite.msc) 
to manage AD's sites and site links. Site 
links are the pathways upon which data 
is replicated. Start Active Directory Sites 
and Services and navigate to Sites, Inter-Site 
Transports, IP, then open the properties of 
the site link on which you want to disable 
replication, as Figure 4 shows. Click Change 
Schedule, select the entire range of days and 
hours in the schedule grid, and select Rep¬ 
lication Not Available. This action disables 
replication between all sites that use the 
site link. 

Using Active Directory Sites and Services 
disables replication only at the site level. 
You might need to disable replication at the 
DC level as well, perhaps to isolate schema 
changes or accidental deletions (if you're 


quick and have a script already set up). To 
disable replication at the DC level, you need 
to use the kitchen sink of replication tools— 
REPADMIN. 

REPADMIN has so many command 
switches, sub-options, and complexities that 
someone could write an entire book about 
it. For this article, let's focus on the /options 
switch. If you use the standard /? switch to 
search REPADMIN's help files, you won't 
even see the /options switch. You must use 
/experthelp, which lists the more powerful 
switches that Microsoft clearly states "could 
break your Active Directory installation." 
And if you're running Server 2008, using 
/options is even more complicated; you 
must enter repadmin /?:options. 

Once you figure out REPADMIN's syn¬ 
tax, it's the same for Server 2008 and Server 
2003. Although replication is always a "pull" 
operation—meaning that a DC will always 
request replication to it, rather than push 
replication out from it—you'll typically want 
to disable outbound replication because it 
applies to our schema and object deletion 
scenarios. To disable outbound replication 
on a single DC, run 

Repadmin /options <DC name> 

+disable_outbound_repl 

If you want to disable outbound replication 
for multiple DCs, you'll have to write a sim¬ 
ple script. To re-enable replication, change 
the "+" to a "-" and rerun the command. 

The one exception to the REPADMIN 
/options command is that in Server 2008 


you can disable outbound replication for an 
entire site—which is very handy in case of 
accidental deletion: 

Repadmin /options site: <Site name> 
disable_outbound_repl 

Several other advanced methods exist 
for controlling replication between indi¬ 
vidual DCs or groups of DCs, but they can 
be an administrative nightmare because 
the settings are so far outside where an AD 
administrator would typically look to resolve 
a replication problem. If you didn't clearly 
document the actions, your DCs might 
need to be entirely rebuilt. Even the /options 
method isn't easy for the casual trouble¬ 
shooter to find. A solid production change- 
control process is extremely important. 

Obscurely Useful 

AD is a complex structure with numerous 
tricks and tools to make administration 
easier. Some methods are more obvious and 
more widely used. The approaches I present 
in this article are less well known, but I hope 
they add to your arsenal of useful techniques 
for managing your AD environment. ^ 
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New 


Jove 

in Windows Server 1008R2 


W indows Server 2008 R2 is known for its new Hyper-V implementation 
with zero down-time migration capabilities. However, changes to Active 
Directory (AD) in Server 2008 R2 are almost as compelling and hint at 
this important infrastructure's future developments. The new AD fea¬ 
tures can be separated into two areas—manageability enhancements, 
and "everything else," which includes some very useful capabilities. 

Domain and Forest Functional Level Changes 

Server 2008 R2 offers a new domain functional level, which you can enable after you have 
all Server 2008 R2 domain controllers (DCs) in the domain. It adds support for the new 
authentication mechanism assurance features we will discuss shortly. 

Server 2008 R2 also offers a new forest functional level. It requires all DCs in the entire 
forest to be running Server 2008 R2 and adds support for the new Recycle Bin feature. Unlike 
previous Windows Server domain and forest functional level changes, moving here isn't 
one-way and can be reversed providing you haven't activated any feature that requires the 
domain or forest level. For example, if you've moved to the Server 2008 R2 forest functional 
level and haven't enabled the Recycle Bin, you could drop the forest functional level back 
down to the Server 2008 functional level. After you move to a Server 2008 R2 functional level, 
you aren't able to add Windows Server 2003 or Server 2008 DCs to the domain or forest. 

Before you can introduce a Server 2008 R2 DC into a domain, you must perform a 
schema update as well as other tasks to be able to use certain new features in Server 2008 
R2. If you're coming from a Windows 2003 domain as opposed to a domain already prepared 
for Server 2008, you'll also need to update Group Policy objects (GPOs). 

In terms of co-existence, Windows 2000 SP4, Windows 2003, and Server 2008 DCs can 
exist in a domain with Server 2008 R2 DCs. Windows NT 4.0 BDCs aren't supported in a 
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domain with Server 
2008 R2. Obviously 
as we start changing 
domain/forest func¬ 
tional modes we are 
restricted to the OS 
level of the DCs to 
match our domain/ 
forest level. 

Manageability 
Features 

Server 2008 started 
the big push for Win¬ 
dows PowerShell- 
based management 
across the OS and 
services, but not all 
components had 
PowerShell support 
(many, in fact, did 
not). Server Core's 
new minimal instal¬ 
lation mode with 

reduced footprint and attack surface didn't 
even support PowerShell because of the 
.NET dependency, which wasn't available 
on Server Core. 

Server 2008 R2 remedies many of these 
PowerShell omissions. Server Core now 
supports many components of .NET, which 
means PowerShell is supported on Server 
2008 R2 Server Core installations. Many 
roles and features that previously didn't 
support PowerShell now do, including AD. 

The AD PowerShell implementation 
includes 75 PowerShell cmdlets and a Power- 
Shell provider with an additional 14 cmd¬ 
lets. Microsoft estimates that around 70 
percent of AD functions can be performed 
with direct AD cmdlets written specifically 
to address the actions. The other 30 percent 
of these actions can be accomplished with 
PowerShell but not with dedicated cmdlets; 
instead, combinations of cmdlets are used. 

Active Directory Web Service 

The new Active Directory Web Service 
(ADWS) is installed on Server 2008 R2 DCs; 
it operates over port 9389. The required fire¬ 
wall exception is enabled automatically as 
part of the role installation (including Server 
Core DCs); however, if you control firewall 
exceptions via Group Policy, you need to 
ensure you open this new port. 

Currently most tools connect using 



Figure 1: Active Directory Administrative Center home page 


LDAP and remote procedure calls (RPCs). 
However, offering a web service for AD 
access enables a superior developer experi¬ 
ence and forms the first stage of a bigger 
objective, which is the enablement of AD for 
cloud and distributed service scenarios. 

AD PowerShell cmdlets use the interface 
provided by ADWS. If a DC can't be found 
offering the ADWS, then the AD Power- 
Shell cmdlets won't work. It's therefore 
very important that you have a sufficient 
number of R2 DCs running ADWS across 
all domains that a PowerShell cmdlet might 
query. Although you can disable ADWS, it's 
discouraged. Note that when Server 2008 R2 
is released, an out-of-band update for Win¬ 
dows 2003 and Server 2008 will be released 
to add ADWS to these AD implementa¬ 
tions. 

Active Directory Administrative 
Center 

Active Directory Administrator Center 
(ADAC), which Figure 1 shows, is a new 
interface designed to replace Active Direc¬ 
tory Users and Computers. In future server 
versions, ADAC will also replace AD Do¬ 
mains and Trusts and AD Sites and Services. 
It will offer a single administrative interface 
for all AD management along with support 
for features that currently don't have any 
graphical interface, such as Recycle Bin and 


fine-grained password policies (FGPPs). 

ADAC lets you manage users, groups, 
computers, and organizational units (OUs) 
and offers powerful and intuitive search and 
filter options. Within a single instance, it lets 
you manage multiple domains and even 
connect to multiple DCs simultaneously. 

ADAC is built on PowerShell but cur¬ 
rently doesn't display the PowerShell com¬ 
mands that would be used to complete 
actions; this may be an option for a future 
version. ADAC consists of many layers; for 
example, it uses PowerShell, which, in turn, 
uses ADWS. AD AC's many new components 
and dependencies on the new 2008 R2 capa¬ 
bilities actually provide a very rich platform 
for AD management. 

Even More Great Management 
Features 

In addition to the key features above, you'll 
also find more components related to man¬ 
agement. Each is extremely useful in its 
own right. 

Active Directory Health Model, This is 
a single authoritative source for diagnostic 
information, which is used by the manage¬ 
ment packs and best practice analyzers. This 
health model can also be accessed by other 
third-party applications if necessary. 

Best Practices Analyzer (BPA) for 
Active Directory, This is available through 


30 NOVEMBER 2009 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 























Microsoft 





Miuomfr 

System Center 


AWe available, reliable, scalable. 
/More able, period. 



Upgrade now? Absolutely. Want built-in virtualization, significantly reduced power consumption and the ability to seamlessly move virtual 
machines without disruption of service or perceived downtime? Windows Server® 2008 R2 does that Want simplified management through 
a single set of tools and enhanced protection for ubiquitous remote access? Who doesn't? Layer in the latest version of System Center and 
integrated Forefront™ security and you'll get all that too. Whew! That's a lot of added efficiency for one little ad. 

To learn more about how server upgrades can create efficiencies, go to itseverybodysbusiness.com/upgrade 




Snap this tag to get the 
latest news on server upgrades 
or text UPGRADE to 21710 

Get the free app for your phone at 

http://gettag.mobi 


Because it's everybody's II business 


I, 




























■ AD IN SERVER 2008 R2 


Server Manager and allows the installation 
of the selected DC to be validated against 
all the AD best practices. It's a useful "quick 
access" check point to confirm configura¬ 
tion. 

Management Pack for Server2008and 
Server2008R2. Although not an AD feature, 
a new System Center Operations Manager 
2007 management pack monitors all fea¬ 
tures related to Server 2008 and Server 2008 
R2 AD implementations. See the Micro¬ 
soft download page: www.microsoft.com/ 
do wnlo ads/details. aspx?FamilyId= 
008F58A6-DC67-4E59-95C6-D7C7C34A144 
7&amp;displaylang=en&displaylang=en. 

The Really Good Stuff 

Server 2008 R2's new management features 
are nearly overshadowed by two new non- 
managerial functions of Server 2008 R2: 
Managed Service Accounts (MSAs) and the 
AD Recycle Bin. 

Managed Service Accounts. Service 
accounts—dedicated AD accounts that run 
a server service—are the longest-standing 
security vulnerability in AD. Because ser¬ 
vices such as SQL Server and Exchange 
depend on these accounts, changing their 
passwords will interrupt the service. To 
combat this problem, many installations 
opt to use built-in accounts such as the local 
system and network service accounts, which 
are then shared by many services. However, 
if one service is compromised, all the ser¬ 
vices using the same built-in account could 
be compromised. This has finally been fixed 
in R2 with MSAs. 

MSAs in Server 2008 R2 are AD accounts 
that are designed to simplify password and 
Service Principal Name (SPN) management 
by automatically changing the account's 
password on the server when it's changed 
in AD. The SPN configuration is required 
for Kerberos to correctly function and cur¬ 
rently must be done by a domain admin; 
with the MSA, you can delegate the SPN 
update to any user, along with the ability for 
the service to automatically update the SPN 
for its MSA. It should be noted that an MSA 
can be used on only one computer; there’s 
no sharing between computers. 

To take advantage of the password man¬ 
agement capabilities of MSAs, you can have 
domains running in Windows 2003 or later, 
but they must have run the Server 2008 R2 
forest and domain preparations. To access 

32 NOVEMBER 2009 Windows IT Pro 


the SPN management capabilities, you must 
be running in Server 2008 R2 domain mode, 
which means using only Server 2008 R2 
DCs. To use an MSA, machines must be 
running Server 2008 R2 or Windows 7. 

When the Server 2008 R2 domain prepa¬ 
ration is run, a new container is created 
called Managed Service Accounts. This is 
the default location for MSAs; however, 
you can change the location if needed. All 
management of MSAs is performed via 
PowerShell cmdlets both within AD and 
on the server side. After you add an MSA in 
AD, give it any required rights, and install it 
to a service, you configure the service on the 
host to use the MSA, and you're done. 

A virtual account works in a similar 
fashion to an MSA but is a local machine 
account. It doesn't have any password man¬ 
agement capabilities and doesn't use AD. 
You can think of a virtual account as just 
additional network service accounts that 
have their own profiles. You don't add or 
remove virtual accounts; you just tell a ser¬ 
vice to use a virtual account. 

AD Recycle Bin. Deletions happen 
within AD, sometimes caused by admin 
error. When this happens, you can boot 
into directory services restore mode and 
perform authoritative restores of certain 
objects, or you can try to reanimate the 
tombstoned object directly through utilities 
such as ADRestore from technet.microsoft 
.com/sysinternals. 

Both approaches have their problems. An 
authoritative restore is a pain and requires 
taking a DC offline during the restore pro¬ 
cess (and you need a good backup). Reani¬ 
mating a tombstoned object takes away 
most of the attributes of the object, and all 
linked value attributes are removed (such 
as group memberships). 

With Server 2008 R2 AD, we can enable 
the Recycle Bin, which allows the restora¬ 
tion of any deleted object through a simple 
PowerShell cmdlet, Restore-ADObject. Cur¬ 
rently it doesn't have a graphical interface; 
however, the PowerShell cmdlet still offers 
a lot of flexibility in restorations. When 
you restore an object from the Recycle Bin, 
all of the object's attributes, both linked 
and non-linked, are completely restored, 
which means group memberships are also 
restored. 

To enable the Recycle Bin, you must be 
at the Server 2008 R2 forest and domain 

We're in IT with You 


functional level. After you enable it, the 
feature can never be disabled. 

A deleted object can exist in one of two 
states after you enable the Recycle Bin: 
deleted or recycled. When an object is first 
deleted, it goes into a deleted state and is 
stored in the Deleted Objects container with 
its distinguished name mangled. An object 
stays in the deleted state for the msDS- 
deletedObjectLifetime duration, which by 
default is the same as the tombstoneLife- 
time duration—180 days. Both of these 
default times can be changed. 

After the msDS-deletedObjectLifetime 
has passed, the object becomes a recy¬ 
cled object, and most of its attributes are 
stripped away (including linked attributes). 
After an object is in a recycled state, it 
can't be restored—not via the Recycle 
Bin capabilities nor from an authoritative 
restore. The recycled state always wins: If 
you perform an authoritative restore of an 
object in a recycled state, it is placed back 
into that recycled state again. Once the 
tombstoneLifetime has passed, the object 
will be physically deleted via the garbage 
collection process. 

Any objects that were in tombstone state 
at the time the Recycle Bin is enabled are 
automatically set into recycled state, which 
means you can't undelete them via the Recy¬ 
cle Bin or an authoritative restore (because 
their attributes were already mangled per 
normal pre-Recycle Bin functionality). 

It should be noted that the Recycle bin 
is available for Active Directory Lightweight 
Directory Services (ADLDS) in addition 
to Active Directory Domain Services (AD 
DS). 

Provisioning, Security, and Migration 

Sometimes you need to complete a com¬ 
puter provisioning including joining a 
domain in environments where a DC might 
not be available. A new feature called offline 
domain join lets machines join a domain 
without having to contact a DC over the 
network. The process uses a new command¬ 
line tool, Djoin.exe, which initially provi¬ 
sions the new machine with an account in 
AD and saves required information to a text 
file. The machine then uses the text file to 
be joined offline to the domain, and after a 
reboot, the computer becomes part of the 
domain. This is available only on Server 
2008 R2 and Windows 7 computers. 
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A new feature called authentication 
mechanism assurance lets administrators 
add additional universal group member¬ 
ships to a user's Kerberos token when a 
certificate-based logon method is used. 
Services can then check for this universal 
group membership in the user's token, 
which identifies details about the certifi¬ 
cate-logon performed. Different universal 
group memberships can be set in the token 
based on the certificate issuance policy 
object identifier (OID). This is very useful in 
federated identity management situations 
(such as ADFS) and claims-consuming 
applications in general. The information 
in the token can be extracted to check the 
authorization level and to grant authoriza¬ 
tion appropriately, depending on whether 
a certificate-based logon method was used 
and the OID of the certificate. Authentica¬ 
tion mechanism assurance requires Server 
2008 R2 domain mode. 

Lastly, Server 2008 R2 offers migra¬ 
tion wizards and documentation to help 
migrate AD and DNS services to new serv¬ 


ers. Since Server 2008 R2 is 64-bit, some 
companies will need to combine adopting 
Server 2008 R2 with a hardware refresh and 
possibly a virtualization platform. 

The new migration wizards and docu¬ 
mentation offer detailed guidance for the 
entire process. The migration portal can 
be found at technet.microsoft.com/en-us/ 
library/dd365353.aspx. 

Deciding What To Do Next 

Many organizations running Windows 
2003 question whether they should adopt 
Server 2008 today or skip it and go straight 
to Server 2008 R2. Several different con¬ 
siderations can drive a decision to adopt 
Server 2008 R2. 

You need to look at the feature sets avail¬ 
able in the releases. Decide if the benefit of 
the feature warrants adopting Server 2008 
today—for example, to take advantage of 
Read-Only DCs, Server Core, DFS Replica¬ 
tion of SYSVOL, and FGPPs—or whether 
you can wait and jump straight to Server 
2008 R2. 


However, it's important to realize that the 
decision whether to migrate to Server 2008 
or to Server 2008 R2 doesn't have to be "all 
or nothing." Many of the new Server 2008 R2 
features can be obtained by implementing 
only a few Server 2008 R2 DCs while leaving 
the majority of DCs on Server 2008. 

Obviously one of the most sought- 
after features, the AD Recycle Bin, is also 
the most complex and most expensive, 
requiring every DC in the entire forest to 
be running Server 2008 R2. The fact that 
Server 2008 R2 must run on 64-bit hard¬ 
ware might also be a deciding factor in 
your adoption decision. ^ 
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Use these 2 features for greater administrative control over message flow 

by William Lefkovics 


M icrosoft Exchange Server 2007 transport rules 
provide a rich interface to control messages 
based on certain messages properties. Microsoft 
made changes to Exchange architecture that 
have helped expose this functionality for easier 
administration and to provide better compliance 
and content control. Message classification complements transport 
rules as a means of tagging messages, either manually or automati¬ 
cally, for specific treatment. Outlook 2007 and Outlook Web Access 
(OWA) 2007 with Exchange 2007 bring this control to life. 

Exchange 2007 Changes Transport Architecture 

With Exchange 2003 and Exchange 2000, Microsoft used the exten¬ 
sible SMTP engine of Microsoft Internet Information 
Services (IIS), running within the inetinfo.exe process, to 
provide Internet messaging services. Exchange used Com¬ 
ponent Object Model (COM)-based engines to integrate 
with IIS SMTP and provide programmatic access to the 
SMTP transport subsystem. SMTP event sinks provided 
the conduit between Exchange extensions of IIS SMTP and 
message transport. The coding required to implement a 
comprehensive event sink was beyond the scope of many 
Exchange administrators. 

When Microsoft developed Exchange 2007, they 
rewrote the transport system from scratch in managed 
code. SMTP and message processing are now handled 
within Exchange by the Microsoft Exchange Transport 
Service (MSExchangeTransportexe). The new architecture 
lets sequential agents access the SMTP stream at specific 
events. These SMTP Receive Agent events represent dif¬ 
ferent commands and processes in an SMTP conversation. 

Table 1 outlines the different events exposed in the order 
they're met through an SMTP transaction. 

Transport Agents and Rules 

Transport agents represent code that interacts with SMTP 
messages through class libraries provided by Exchange 


2007. Agents can read and change message properties and con¬ 
tent during SMTP Receive Agent events. Transport rules depend 
on specific transport agents: the Edge Rules agent on Exchange 
2007 servers running the Edge Transport role and the Transport 
Rule agent on servers with the Hub Transport role installed. These 
rules agents act at the OnEndOfData event in the SMTP stream. 
Administrators assign direction to the rules agents through the use 
of transport rules. 

An example of transport agents at work is exhibited by the set of 
antispam agents employed by an Edge Transport server as well as 
Exchange servers running the Hub Transport role with the optional 
antispam agents installed. The antispam agents act on message 
properties exposed through SMTP events and can amend an email 


Table 1: SMTP Receive Agent Events 

Receive Agent Event 

| Description 

OnConnect 

Exchange receives an SMTP connection 

OnEhloCommand 

Exchange receives an SMTP EHLO command 

OnHeloCommand 

Exchange receives an SMTP HELO command 

OnAuthCommand 

Exchange receives an SMTP AUTH command, but 
before it responds 

OnEndOfAuthentication 

Exchange responds to an SMTP AUTH command 

OnMailCommand 

Exchange receives an SMTP MAIL command 

OnRcptCommand 

Exchange receives an SMTP RCPT command 

OnDataCommand 

Exchange receives the SMTP DATA command 

OnEndOfHeaders 

Exchange reaches the end of the headers for an 
SMTP message 

OnEndOfData 

Exchange reaches the end of data for an SMTP 
message 

OnRsetCommand 

Exchange receives an SMTP RSET command 

OnReject 

When any other event rejects a command or 
message 

OnDisconnect 

When an SMTP connection to Exchange is closed 

OnNoopCommand 

Exchange receives an SMTP NOOP command 

OnHelpCommand 

Exchange receives an SMTP HELP command 
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message, reject a message, and even re¬ 
address a message. To view the transport 
agents installed on a server, you can run the 
Exchange Management Shell (EMS) com¬ 
mand 

Get-T ransportPipeline 

Figure 1 shows the output from running this 
command on an Edge Transport server. You 
can see where the antispam agents reside 
in the transport process as well as the Edge 
Rules agent at the OnEndOfData event. 

Microsoft doesn't apply restrictions to 
transport agent behavior: They have signifi¬ 
cant access to message content and header 
information and therefore only trusted and 
tested transport agents should be deployed 
in production. For more information on 
transport agents, refer to the Microsoft article 
"Transport Agents" (msdn.microsoft.com/ 
en-us/library/aa579185.aspx). 

Edge vs. Hub: A Tale of Two Roles 

Transport rules can be managed through 
Exchange Management Console (EMC) as 
well as EMS. They can be implemented on 
Exchange 2007 servers hosting the Edge 
Transport role or the Hub Transport role. 
The method for administering transport 
rules on these separate roles is the same; 
however, the focus of the set of rules is dif¬ 
ferent. 

Transport rules on the Edge Transport 
role primarily contribute to message hygiene. 
The Edge Rules agent can protect your inter¬ 
nal network from email-borne attacks, such 
as virus outbreaks or denial of service attacks. 
It can also prevent internal compromises 
from being escalated to your clients and other 
external contacts by identify¬ 
ing and blocking unwanted 
outbound messages. The 
Edge Transport server is an 
email gateway, so you can 
use transport rules here to 
help ensure content reaching 
users' Inboxes is relevant. 

Edge Transport server 
rules are stored within the 
local implementation of 
Active Directory Application 
Mode (ADAM); therefore, 
where multiple Edge Trans¬ 
port servers are used, each 
one has an independent set 
of transport rules. ADAM is 


a somewhat portable subset of Active Direc¬ 
tory (AD) and isn't replicated between serv¬ 
ers. You can maintain identical, redundant 
Edge Transport servers hosting the same set 
of transport rules, or unique Edge Transport 
servers for managing specific traffic, such as 
separating inbound and outbound messag¬ 
ing gateways. 

Transport rules on Hub Transport serv¬ 
ers focus more on message compliance 
and policy enforcement. You can restrict or 
prevent email delivery between groups of 
users within the organization and ensure 
certain information doesn't get delivered to 
unintended recipients. Hub Transport rules 
can also be used to append content, such 
as disclaimers, to message bodies prior to 
submission to an outbound gateway server. 
These rules are stored in the Exchange 
Configuration container in AD. Because 
these transport rules are stored in AD and 
replicated to all domain controllers, all Hub 
Transport servers access the same set of 
transport rules. And because every message 
sent through an Exchange 2007 organiza¬ 
tion must pass through at least one Hub 
Transport server, every message has the 
Hub Transport rules applied to it. This situ¬ 
ation provides a solid platform for meeting 
messaging compliance requirements. 

There are three components to transport 
rules: conditions, exceptions, and actions. 
Conditions and exceptions are some¬ 
times called predicates. Web Table 1 (www 
.windowsitpro.com, InstantDoc ID 102846) 
lists the predicates and actions available for 
Edge Transport and Hub Transport rules. 
Hub Transport rules have more options 
that give you greater control over message 


flow. Edge Transport rules identify mes¬ 
sage properties to help discern whether the 
message should pass freely, be amended, or 
even rejected. 

The available options for transport rules 
might not meet the requirements of every 
organization, and they can't be edited. 
However, developers can make their own 
transport agents to meet requirements not 
met by the basic transport rule set. 

Within transport rules, there are predi¬ 
cates that are dependent on a value called 
classification and an action that can assign 
a message classification to an email message 
based on properties of the message—so now 
we see how message classifications can be 
added to the mix to provide more granular 
control over your environment. 

Tony Redmond covers transport rules 
in more detail in "Exchange 2007 Trans¬ 
port Rules" (windowsitpro.com/article/ 
articleid/95996). 

What Are Message Classifications? 

Message classification, similar to message 
categories in the Outlook client, is a means of 
labeling and differentiating messages. These 
classification tags can then be used within 
a transport rule so that specific actions can 
be invoked. Message classifications can be 
assigned by a Hub Transport rule or by user 
action before sending a new message. This 
feature is new to Exchange 2007 and avail¬ 
able only with Outlook 2007 and OWA 2007. 
Previous versions won't recognize message 
classifications. 

Exchange includes several preconfig¬ 
ured classifications. These samples can be 
changed or deleted, but they might fit your 


Figure 1: Output from the Get-TransportPipeline command on an Edge Transport server 

Event 

TransportAgents 

OnConnectEvent 

{Connection Filtering Agent} 

OnHeloCommand 

{} 

OnEhloCommand 

{} 

OnAuthCommand 

{} 

OnEndOfAuthentication 

{} 

OnMai1 Command 

{Connection Filtering Agent, Sender Filter Agent} 

OnRcptCommand 

{Connection Filtering Agent, Address Rewriting Inbound 
Agent, Recipient Filter Agent} 

OnDataCommand 

{} 

OnEndOfHeaders 

{Connection Filtering Agent, Address Rewriting Inbound 
Agent, Sender Id Agent, Sender Filter Agent, 

Protocol Analysis Agent} 

OnEndOfData 

{Edge Rule Agent, Content Filter Agent, Protocol 

Analysis Agent, Attachment Filtering Agent} 

OnHelpCommand 

{} 

OnNoopCommand 

{} 

OnReject 

{Protocol Analysis Agent} 

OnRsetCommand 

{Protocol Analysis Agent} 

OnDisconnectEvent 

{Protocol Analysis Agent} 
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Figure 2: Output from the Get-MessageClassification command 


: d74dbde8-4cb0-4043-ae4b-2alb5686c9dc 
: A/C Privileged 
: Medium 

: Default:\ExACPrivileged 
: True 

: This message is either a request for legal advice 
from an attorney or a response by an attorney to 
a request for legal advice. It should be treated 
confidentially, should only be sent to people with 
a need to know, and should only be forwarded by 
an attorney. 

RetainClassificationEnabled : True 

SenderDescription : This message is either a request for legal advice 

from an attorney or a response by an attorney to 
a request for legal advice. It should be treated 
confidentially, should only be sent to people with 
a need to know, and should only be forwarded by 
an attorney. 

UserDisplayEnabled : True 

Version : 0 


As an example, the command 


Classification^ 

DisplayName 

DisplayPrecedence 

Identity 

IsDefault 

Locale 

RecipientDescription 


company's needs. They are as follows: 

• A/C Privileged 

• Attachment Removed 

• Company Confidential 

• Company Internal 

• Originator Requested Alternate Recipi¬ 
ent Mail 

• Partner 

The EMS cmdlet Get-MessageClassification 
with the format list output option can list 
the details of message classifications. Here's 
an example using the A/C Privileged clas¬ 
sification (that's Attorney/Client, not Air 
Conditioning as it's apt to mean here in the 
Mojave Desert): 

Get-MessageClassification 
"A/C Privileged" | fl 

Figure 2 shows output from this command. 

Adding New Message Classifications 

You create new message classifications on 
the server side for use by transport rules or by 
Outlook 2007 and OWA 2007 clients. You use 
the aptly named New-MessageClassification 
cmdlet through EMS to create message clas¬ 
sifications. A few parameters are required 
as well. The message classification Display- 
Name parameter represents what users see 
in Outlook 2007 or OWA 2007 when select¬ 
ing from the message classification list, as 
we'll see shortly. The SenderDescription 
and RecipientDescription fields are shown 
on messages that have been classified. You 
can see a complete list of parameters for 
the cmdlet in the Microsoft TechNet arti¬ 
cle “New-MessageClassification” (technet 
.microsoft.com/en-us/library/bb 124400 
.aspx). 


New-MessageClassification -Name Articles 
-DisplayName Windows IT Pro 
-SenderDescription "This message 
contains information and content 
supporting Windows IT Pro magazine 
articles." 

creates a message classification with the 
minimum required parameters; it has an 
identity of Articles and a display name of 
Windows IT Pro. The new classification 
is added to the Exchange Configuration 
container in AD. Of course, Message Clas¬ 
sifications can be deleted in a similar man¬ 
ner with the Remove-MessageClassification 
cmdlet. 

Setting Up Outlook for 
Classifications 

Outlook isn't automatically aware of mes¬ 
sage classifications. Classifications are 
stored in AD and need to be exported to 
an XML file for Outlook, which you can do 
with a PowerShell script found in the scripts 
folder in the Exchange 2007 installation path 
(\program files\microsoft\exchange server\ 
scripts\export-messageclassification.ps 1). 
When you execute the script, pipe the out¬ 
put to an XML file: 

c:\program files\microsoft\ 

exchange server\scripts\export- 
messageclassification.psl »mclass.xml 

Exporting multiple times to the same XML 
file appends the content instead of replac¬ 
ing it, which makes the file unusable by 
Outlook. You must use a unique name or 
remove any existing XML file by the same 
name before exporting. 


Message classifications 
are available only with Out¬ 
look 2007 using MAPI or 
with OWA on an Exchange 
2007 server running the Cli¬ 
ent Access role and access¬ 
ing an Exchange 2007 
mailbox. They aren't visible 
to Windows Mobile clients, 
other ActiveSync clients, or 
clients accessing Exchange 
with other Internet proto¬ 
cols, including POP3 and 
IMAP4. Classifications are 
defined in the exported 
XML file, but that file needs 
to be pushed out to clients. You could use 
a network share, but pushing the XML file 
to the actual workstation is recommended, 
especially if users work offline with Cached 
Exchange Mode. 

You have to enable message classifica¬ 
tions in Outlook 2007 on an individual client 
basis through the creation and configura¬ 
tion of a registry subkey, HI<EY_CURRENT_ 
USER\Software\Microsoft\Office\12.0\ 
Common\Policy. The subkey Policy doesn't 
exist by default and should only be created 
if the user's mailbox resides on an Exchange 
2007 Mailbox server. You also don't need to 
enable clients that won't access the message 
classification system. In the Policy subkey, 
set the following values: 

• "AdminClassificationPath"="c:\\Email\ 
mclass.xml" 

• "EnableClassifications"=dword:00000001 

• "TrustClassifications"=dword:00000001 

The full path and file name for the XML 
file must match what you assign using 
the AdminClassificationPath value in the 
registry. 

Step-by-Step Message 
Classification Distribution 

Message classification in Exchange 2007 
isn't a set-and-forget configuration for Out¬ 
look and OWA. Any changes or additions 
made to the classifications on the Exchange 
server require another XML export and 
redistribution to Outlook clients. As a mini¬ 
review, the steps to distributing or updating 
message classifications for use at the client 
are: 

1. Add or change message classification 
through EMS 
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2. Run the export 
shell script to create 
the XML file for cli¬ 
ents 

3. Add registry 
subkey on clients 
that don't have it yet 

4. Distribute the 
XML file to clients to 
the location defined 
in the local client 
registry 


'th \ a *> o ' ^ 


t * 


Here is the article edit - Message (HTML) 


e 


Message Ins< 
di Cut 
^ Copy 

J Format Painter 
Clipboard 


t Options Format Text OutlookSpy 
Calibri (Bo » 11 - A* aTI IE - |E H|^| 

b i u ^ ■ m m m iw iW 

l_ Basic Text«J 


mv § st s a 


Permission)^ AB 9 


Address Check 
Book Names 
Names 


Attach Attach Business Calendar Signature 
File Item Card * 

Include 


| To... editor igexchanqe. windows! tpro. c< 

I 1 

[jBSm- 1 C 


Subject: Here is the article edit 


Nice catchl| 


Set permission on this item 

V No Restrictions 
Do Not Forward 
Windows rt Pro 
A/C Privileged 
Attachment Removed 
Company Confidential 
Company Internal 

Originator Requested Alternate Recipient Mail 
Partner Mail 
Manage Credentials 


Figure 3: Selecting a message classification in a new email message 
5. Restart Outlook if necessary 


After these steps are completed, any changes 
or additions to message classifications 
can be used in transport rules to control 
message flow, maintain compliance, and 
enforce policy. 

The requirement to manually create and 
distribute the XML file for message classifi¬ 
cation has been its Achilles' heel, limiting its 
adoption, especially for larger organizations. 
However, when a company establishes a 
solid set of message classifications and has 
them in place on Outlook 2007 clients, no 
further maintenance is required. It's only 
when changes need to be applied, whether 
adding a new classification or reinstalling a 
client workstation, that the tedious nature of 
message classification deployment arises. 

There are tools within typical Windows 
networks that can assist in the distribu¬ 
tion of updates to clients, including Group 
Policy and the Office 
Customization Tool for 
Office 2007. Some third- 
party application man¬ 
agement products can 
apply registry changes 
and distribute files to 
workstations as well. 

Even with these tools, 
message classification 
adds administrative 
complexity that might 
not be worth the value 
of the deployed feature. 

Using Transport 
Rules with 
Classifications 

Message classifications 
are a way for users and Help 

organizations to bet¬ 
ter describe messages. 


They aren't associated with any transport 
rule by default. With Hub Transport rules, 
you can control how messages move within 
your organization. These rules evaluate 
whether messages meet one or more con¬ 
ditions, then check whether they meet any 
exceptions. If a message passes through 
these predicates, then the configured 
action is taken. In each step—conditions, 
exceptions, and actions—there's an option 
for consideration of message classifica¬ 
tions. 

Let's put the sample message classifica¬ 
tion we created earlier, named Articles, to 
work. First, follow the steps outlined in the 
previous section. Add a recipient descrip¬ 
tion using EMS as follows: 

Set-Messaged assification 
-Identity Articles 
-RecipientDescription 


• New Transport Rule 


□ Introduction 

□ Conditions 

□ Actions 
Exceptions 

□ Create Rule 
Completion 


Conditions 

Step 1: Select condition(s): 


□ from people 

l~~l from a member of distribution list 

□ from users inside or outside the organization 


□ sent to a member of distribution list 

l~l sent to users inside or outside the organization 

□ between members of distribution list and distribution list 

□ when any of the recipients in the T o field is people 

□ when any of the recipients in the T o field is a member of distribution list 

□ when any of the recipients in the Cc field is people 

□ when any of the recipients in the Cc field is a member of distribution list 

I - ! when any of the reciDients in the To or Cc fields are oeoole 

Step 2: Edit the rule description by clicking an underlined value: 


Apply rule to messages 
sent to Editor 


< Back 


Figure 4: Setting a transport rule condition in the New Transport Rule wizard 


"Alert! Windows IT Pro Article 
Content!" 

RecipientDescription is an optional param¬ 
eter in message classification creation. Next, 
run the export script to create a new XML 
file with this change; if you have more than 
one change to make, it's more efficient to do 
them all before creating the XML file. 

You should verify the changes by sending 
a test message and confirming the message 
classification works as expected. Create a 
new email message and select the new clas¬ 
sification from the drop-down menu under 
the Permissions button, as Figure 3 shows. 
When this message classification is selected 
in Outlook 2007, the sender description text 
appears at the top of the message. 

With this message classification in place, 
let's create a transport rule for illustration 
purposes. The goal of this rule will be to 
assign the classification Arti¬ 
cles to messages sent to our 
internal editor address unless 
they're sent with low impor¬ 
tance. In EMC, navigate to 
the Organization Configura¬ 
tion container and select Hub 
Transport. Recall that trans¬ 
port rules are stored in AD 
and apply to all Hub Trans¬ 
port servers in the organi¬ 
zation. Select the Transport 
Rules tab, then click New 
Transport Rule in the Action 
pane to open the New Trans¬ 
port Rule wizard. 

Transport rules must be 
assigned a name, but the 
description is optional. Click 
Next to go to the Conditions 
screen, select the check box 
for sent to people, and edit 


d 


j 
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• New Transport Rule 


H Introduction 
H Conditions 

□ Actions 
Exceptions 

□ Create Rule 
Completion 


Actions 

Step 1: Select action(s): 


l~l log an event with message _ 

D prepend the subject with string 
El apply message classification 

l~l append disclaimer text using font, size, color, with separator and fallback to action i 
l~l set the spam confidence level to value 

□ set header with value 

□ remove header R| e View 

l~l add a recipient in the T o field addresses 

□ copy the message to addresses ^ earch ' _ Find Now ■> 

Q Blind carbon copy (Bcc) the message to addre 

□ redirect the message to addresses 


Select message classification 


Step 2: Edit the rule description by clicking an unde 


Apply rule to messages 
sent to Editor 

apply message classification 


Display Name • 


A/C Privileged 
Attachment Removed 
Company Confidential 
Company Internal 
Originator Reguested Altern... 
Partner Mail 


1 object(s) selected. 


7 object(s) found. 


Figure 5: Selecting a transport rule action in the New Transport Rule wizard 


the description so the rule is applied to 
messages sent to Editor, as Figure 4, page 37, 
shows. Next, the wizard displays the Action 
screen where you can assign the message 
classification Articles, selected by its display 
name of Windows IT Pro, to messages meet¬ 
ing the conditions of the rule, as Figure 5 
shows. Now, this rule needs an exception for 
messages sent with Fow Importance, which 
you can set on the Exceptions screen. Click 
Next to complete the new transport rule, 
and the final window shows the PowerShell 
command you could use to create this same 
rule through EMS. 

To test this transport rule, you can send 
an email message without any message clas¬ 
sifications assigned to it to the Editor mail¬ 
box and verify that the message is assigned 
the message classification when it arrives. 
Figure 6 shows the Recipient Description 
text applied by the message 
classification Articles, which 
was assigned to the test email 
by the transport rule. 

The full set of Hub Trans¬ 
port rule conditions and excep¬ 
tions shown in Web Table 1 is 
available for transport rules 
based on message classifica¬ 
tion. Transport rule actions 
can be applied based on the 
presence of a specific message 
classification, and a message 
classification can be applied 
to a message based on cer¬ 
tain transport rule conditions. 

Messages to or from specific 


people or groups, messages with specific 
words or text patterns in addresses, mes¬ 
sage bodies, or header content, and even 
attachment name or size can all be used by 
companies to regulate message flow. 

As an example, a small law firm in Van¬ 
couver uses message classifications and 
transport rules to separate important client 
communication into a resource mailbox, 
regardless of sender. Users assign message 
classifications before sending critical email 
messages to clients, and a transport rule 
copies the message to the resource mailbox 
based on the presence of the message clas¬ 
sification and the recipient address. 

Some companies might use message 
classification to emphasize the importance 
or confidentiality of an email message. 
The HR department could send out a mes¬ 
sage advising staff about changes in the 


health plan and select a mes¬ 
sage classification designed to 
display specific recipient text 
at the top of messages read in 
Outlook 2007 and OWA 2007. 

Rules and Classifications: 
Better Together 

When you use message clas¬ 
sification in the formation of 
Hub Transport rules, either 
as a condition, an exception, 
or an action, you get greater 
administrative control over mes¬ 
sage flow. Classifications can 
help you use transport rules to 
enforce corporate policy, adhere 
to compliance initiatives, and 
generally prevent email content 
from being distributed to recipients that 
shouldn't have access to it. 

The system of transport rules isn’t per¬ 
fect, and the challenges of message clas¬ 
sification distribution might prevent some 
companies from deploying the feature. 
Still, the full versatility of transport rules 
from enforcing ethical walls to appending 
disclaimers is enhanced by the message 
labeling system called message classifica¬ 
tion. ^ 

InstantDoc ID 102849 
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Figure 6: An email message with Recipient Description text displayed 
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Don't leave your scripts scattered about on your computer 


I have to admit that after many years of scripting I have scripts all over the place on my computer. They're 
in a variety of folders on different drives. Some are well organized, and some are not. Some I forgot about, 
while others have been hiding out in inconspicuous locations for a very long time. 

To make matters worse, PCs aren't backed up where I work. Needless to say, if I were to have a disk go 
bad and lose all my scripts, I would be quite upset. 

Instead of trying to hunt down all my scripts and copy them to a USB drive or a network location that is 
backed up, I decided to round them all up with a script. ScriptRoundUp.vbs uses Windows Management Instru¬ 
mentation (WMI) to find all the .vbs and .hta files on my local C and D drives. The query used in the script can easily 
be modified to look at different local drives and to look for other file extensions, so you could round up Windows 
PowerShell scripts, Microsoft Word documents, or Microsoft Excel spreadsheets by making just a slight modification. 
Let's look at how to use ScriptRoundUp.vbs and how it works. 

How to Use the Script 

Locating files using WMI is nothing new to most scriptwriters, so what sets ScriptRoundUp.vbs apart from the many 
WMI scripts that you might already have? The main difference is that ScriptRoundUp.vbs makes copies of all the 
files meeting the specified criteria and places those copies in a centralized location so that you have all your scripts 
in one location. You can then copy them from the centralized location to a USB drive or network location in one fell 
swoop. This centralized location is hardcoded in the script as C:\Scripts\AllScripts\ScriptFiles. The script doesn't 
create this folder, so you must create it prior to running the script. 

If you want to store the copies in a different folder, you just need to find the code 

Col Path = "C:\Scripts\AllScripts\" 

DestRoot = Col Path & "ScriptFiles" 

near the beginning of ScriptRoundUp.vbs. (You can download this script by going to www.windowsitpro.com, 
entering 102139 in the InstantDoc ID box, clicking Go, then clicking the Download the Code Here button.) ColPath 
is the collection path where the script creates and stores an .xml database that contains information about all the 
files returned by the WMI query. In this case, the C:\Scripts\AllScripts folder contains the .xml database. DestRoot 
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specifies the destination root folder where 
all the scripts will be stored—in this case, it's 
the ScriptFiles folder. You can change this 
subfolder by modifying the second line, but 
be sure to leave the variable names ColPath 
and DestRoot intact. Once again, you need 


to create the subfolder before running the 
script. 

VBScript files and HTML Applications 
(HTAs) usually don't take up a lot of space. (I 
have well over a thousand scripts and HTAs 
and they consume only about 56MB total.) 


However, if your C drive is extremely low on 
disk space, you might want to change the 
ColPath value to another folder location on 
a different drive. 

The only other code you might want to 
modify is the WMI query 


Listing 1: ScriptRoundUp.vbs 


Const adPersistXML = 1 
Const adFldlsNullable = 32 
Const adLongVarChar = 201 
ColPath = "C:\Scripts\AllScripts\" 

DestRoot = ColPath & "ScriptFiles" 

strQuery = "Select Drive,Extension,Name,Path from CIM_DataFile " & _ 

"Where (Drive='c:' OR Drive='d:') AND (extension^vbs' OR extension='hta')" 

Set fso = CreateObject("Seripting.FileSystemObject") 

If Not fso.FolderExists(ColPath) Or Not fso.folderExists(DestRoot) Then 
Msgbox "Collection Folder " & ColPath & " or " & DestRoot & 

" does not exist... Terminating Script" 

WScript.Quit 
End If 

strMessage = "A message box will appear when process is complete." 
strMsgTitle = "Script Round-up" 

CreateObject("WScript.Shel 1").Popup strMessage,10,strMsgTitle,vblnformation 

(A)Set objShell = CreateObjectC'Shell.Application") 

"1 Set RootFolder = objShell.NameSpace(DestRoot) 

©Set DRS = CreateObject("ADODB.Recordset") 

DRS.Fields.Append "Drive",adLongVarChar,256,adFldlsNullable 
DRS.Fields.Append "Extension",adLongVarChar,256,adFldlsNul1able 
DRS.Fields.Append "Name".adLongVarChar,256,adFldlsNullable 
DRS.Fields.Append "Path".adLongVarChar,256,adFldlsNullable 
DRS.Open 

©Set objWMIService = GetObject("winmgmts:" _ 

& "{impersonationLevel=impersonate}!\\.\root\cimv2") 

Set col Files = objWMIService.ExecQuery(strQuery) 

For Each objFile In col Files 
DRS.AddNew 

DRSC'Dri ve") = objFile.Drive 
DRSC'Extension") = objFile.Extension 
DRSC'Name") = objFile. Name 
DRSC'Path") = objFile.Path 
Next 

DRS.MoveFirst 
©Do While Not DRS. EOF 

FolderPath = Replace(DRS.Fields.Item("Drive")& DRS.Fields.Item("Path") 
Dest = DestRoot & "\" & Replace(DRS.Fields.Item("Drive")& _ 

DRS.Fields.Item("Path") 

If Not fso.FolderExists(Dest) Then 
RootFolder.NewFolder(FolderPath) 

End If 

Set sourcefile = nothing 

Set sourcefile = fso.getFile(DRS.Fields.Item("Name")) 
sourcefile.Copy Dest 
DRS.MoveNext 
Loop 

If fso.FileExists(ColPath & "Scripts.xml") Then 
fso.DeleteFile(ColPath & "Scripts.xml") 

End If 

DRS.Save ColPath & "Scripts.xml".adPersistXML 
DRS.Close 
MsgBox "Done" 


strQuery = 

"Select Drive,Name," & _ 
"Extension,Path from " & _ 
"CIM_DataFile " & _ 

"Where (Drive='c:' OR " & _ 
"Drive='d:') AND " & _ 

"(extension='vbs' OR " & _ 
"extension='hta')" 

This query looks for VBScript and 
HTA files on the C and D drives. You 
can easily modify this code to look 
for different types of files on differ¬ 
ent local drives. For example, if you 
want to find JScript and PowerShell 
files, you'd modify the statement to 
look like 

strQuery = _ 

"Select Drive,Name," & _ 
"Extension,Path from " & _ 
"CIM_DataFile " & _ 

"Where (Drive='c:' OR " & 
"Drive='d:') AND " & _ 
"(extension^js' OR " & _ 
"extension='psl')" 


After running the script (which 
could take a while, depending on 
how many scripts you have), open 
the destination root folder. You 
should find a folder for each of the 
hard drives listed in the query. If 
you open these folders, you should 
see a myriad of subfolders that 
contain your VBScript scripts and 
HTAs. 

Before running ScriptRoundUp 
.vbs a second time, I suggest that 
you delete all the files and folders 
from the C:\Scripts\AllScripts folder 
after you've copied them to a safe 
place. If you leave them on your 
hard drive and run the script again, 
you'll end up collecting those files 
as well, virtually doubling the time it 
takes to run the script and doubling 
the amount of space used to house 
the files. 
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I should also point out that I chose to 
use a database as an interim holding tank 
because using a database makes the process 
much cleaner than copying files directly 
from WMI collections. Plus, if I decide to 
extend this script's functionality (e.g., have 
it look for duplicate files), I would have a 
means to do so. 

How the Script Works 

As Listing 1 shows, ScriptRoundUp.vbs is 
relatively short and not too complex. I'll 
describe how it works, summarizing certain 
sections and elaborating on a few areas. 

After setting up the reference variables 
and query string, the script checks to make 
sure both the C:\Scripts\AllScripts and C:\ 
Scripts\AllScripts\ScriptFiles folders exist. If 
they don't, a message lets you know that one 
or both folders are missing and the script 
terminates. 

Next, at callout A in Listing 1, Script 
RoundUp.vbs creates a Folder object 
named RootFolder that's bound to the des¬ 
tination root folder. (This object is part of 
the Windows Shell API for scripting.) Using 
the Folder object's NewFolder method, 
the script adds subfolders to the destina¬ 
tion root folder. The subfolder names are 
derived from the actual folder names that 
house the .vbs and .hta files. 

At callout B, the script sets up an ActiveX 
Data Objects (ADO) database to store the 
file information returned by the WMI query. 
The database is composed of four fields, 
each relating to specific WMI properties: 

• The Drive field, which contains the file's 
drive letter (e.g., C) 

• The Extension field, which contains the 
filename extension (e.g., vbs) 

• The Name field, which contains the 
complete path and filename (e.g., C:\ 
Scripts\RoundUp\ScriptRoundup.vbs) 

• The Path field, which contains just the 
path with leading and ending back¬ 
slashes (e.g., \Scripts\RoundUp\) 

Shortly, you'll see how these four fields play 
an important part in constructing the sub¬ 
folder names and copying the files. 

In callout C, ScriptRoundUp.vbs exe¬ 
cutes the WMI query. The script stores the 
files that meet the criteria in a collection. A 
VBScript For Each...Next statement cycles 
through the collection. Each file's drive, 
extension, name, and path are retrieved and 


stored in the appropriate fields in the data¬ 
base. After all the file information has been 
added to the database, the record pointer is 
positioned at the first record. 

The Do...Loop statement in callout D 
is the heart of the script—it's where all the 
subfolders get created and all the files get 
copied. Keep in mind that the subfolders 
are all created in the destination root folder. 
So, for example, the C:\Scripts\RoundUp\ 
ScriptRoundUp.vbs file would be copied to 
C:\Scripts\AllScripts\ScriptFiles\C\Scripts\ 
RoundUp\ScriptRoundup.vbs. 

Let's take a close look at the Do...Loop 
statement. The code 

FolderPath = Replace _ 

(DRS.Fields.Item("Drive") 

& DRS.Fields.Item("Path") 

Backing up all your 
.vbs and .hta files is 
as easy as running 
ScriptRoundUp.vbs 
and copying the 
rounded-up files 
to your backup 
location. 

constructs the FolderPath variable's value 
from the drive letter (with the colon 
stripped out) and the path. The resulting 
value would look something like C\Scripts\ 
RoundUpV The FolderPath variable will be 
used to create the subfolder to house the 
file. However, before that occurs, the script 
tests for the existence of the subfolder in 
FolderPath. That way, if it already exists, an 
attempt won't be made to create it again. 
The code 

Dest = DestRoot & "\" & Replace 
(DRS.Fields.Item("Drive"),":","") _ 

& DRS.Fields.Item("Path") 

sets the Dest variable, which is used for the 
existence test. The Dest variable's value 


is created basically the same way as the 
FolderPath variable's value, except the 
Dest variable's value is preceded with the 
value in the DestRoot variable (i.e., C:\ 
Scripts\AllScripts\ScriptFiles) and would 
look something like C:\Scripts\AllScripts\ 
ScriptFiles\C\Scripts\RoundUp\. 

After the Dest variable is set, the exis¬ 
tence test takes place using the code 

If Not fso.FolderExists(Dest) Then 
RootFolder.NewFolder(FolderPath) 

End If 

If the subfolder doesn't exist, the statement 
RootFolder.NewFolder(FolderPath) uses the 
name stored in the FolderPath variable to 
create the subfolder under the destination 
root folder. 

Next, the lines 

Set sourcefile = nothing 
Set sourcefile = _ 

fso.getFi1e(DRS.Fields.Item("Name")) 
sourcefile.Copy Dest 

disassociate the sourcefile variable with any 
object, then set that variable to a Scripting 
Runtime Library File object that's bound to 
the file associated with the value stored in 
the Name field of the database. Remember 
that the Name field contains the full path 
and filename of the file that was initially 
returned by the WMI query. With the File 
object created, it's simply a matter of calling 
that object's Copy method to copy the .vbs 
or .hta file specified in the Name field into 
the subfolder specified in the Dest variable. 
This process is repeated for each record in 
the database until reaching the end of file 
(EOF), after which the database is saved as 
C:\Scripts\AllScripts\Scripts.xml. 

That's it! All you have to do now is copy 
the files that you rounded up to wherever 
you want. Don't forget to delete them from 
the collection area if you plan on running 
the script again using the same criteria. 

InstantDoc ID 102139 


Jim Turner 

(jturnervbs@gmail.com) is a 
domain administrator and 
applications developer for 
Computer Sciences 
Corporation. 

Windows IT Pro 



www.windowsitpro.com 


We're in IT with You 


NOVEMBER 2009 41 





by Ryan Thomas 


SharePoint Search Results 


Combining 
out-of-the-box 
tools with third-party 
and custom solutions 
can help you build your 
way to a sleeker, more 
powerful SharePoint 
environment 



A significant number of organizations that use Microsoft Office SharePoint Server (MOSS) 
are failing to leverage some easy ways to improve both the quality of their data and the 
quality of their search results and associated user experience. 

Companies typically face common SharePoint search problems when they attempt 
to implement useful metadata options and quick and easy customizations. Others are 
constantly seeking small ways to move their intranets, collaboration data, and portals 
in the right direction for growth and maintenance. I want to provide help in those directions. I won't 
promise a huge lesson in enterprise information architecture or any grand scheme for overhauling the 
governance of your data or SharePoint environment, but I can suggest a number of free/inexpensive 
tools and useful ideas to help you improve the structure and content of your data. 

The Problem 

The most common scenario I see among SharePoint-using clients is a lack of design and planning at 
the data level. Many organizations have spent considerable time and IT dollars building a hardware 
and farm infrastructure, but they've spent little or no time working on the design of the actual data. A 
significant number of these implementations include a Help desk, site-provisioning tools, custom site 
definitions and templates, and a formal process for managing the farm, but they don't have a single cus¬ 
tom content type, and during the analysis and design phase they haven't created any customized search 
results. Site administrators typically let the site owners use the available out-of-the-box SharePoint tools 
to organize their own data. This approach leads to either very little data management or inconsistent 
architecture and design across sites and search results. 

The problem increases over time as users add, version, and collaborate on larger and larger amounts 
of data in sites that have little or no metadata or classification. Users continue to upload documents into 
the pile and rely on SharePoint's search engine to index content and properly return results. Eventu¬ 
ally, this system breaks down when the volume of documents becomes so large that search results are 
significantly littered with correct but unintended results. SharePoint's out-of-the-box search cries out 
for some options to filter the data into usable compartments. These filters can be standard metadata 
items such as the author, content type, and language; however, additional options available 
via search scopes and limitations based on location or custom properties can 
greatly increase relevancy. 

IT pros within the organization face a daily challenge. They 
generally need to understand enough about all the disparate 
data sources within the corporate firewall to locate per- 
-tinent information to complete their job functions. 
Theyhften ask to search for multiple locations in 
a single location instead of logging on to remote 
applications or websites and searching and tal- 
j lying results manually. They want more options 

to sort and drill down on the data returned. 
They also might need to manage the data, 
either by asking for and receiving additional 
metadata within their results, gaining access 
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to custom search applications, or modifying 
components of the actual data as required 
and allowed. 

Start with Legwork 

You need to realize that it's almost impos¬ 
sible in a large organization to perform a 
complete analysis and formulate a master 
plan in advance. Convincing budget mak¬ 
ers, stakeholders, users, and a committee 
to take on months of meetings and design 
sessions is generally unattainable. The risk 
starts to become too visible. Although the 
rewards can seem empowering, they can 
also be very difficult to achieve. My opinion 
is that a waterfall approach to this process is 
a setup for failure. 

Instead, I recommend tackling the first 
small problem you want to solve. Such prob¬ 
lems will be different for each department 
and user, but you're probably considering 
this project because you're already aware 
of a few data, organizational, or search 
concerns based on community complaints. 
Those with the loudest complaint will be the 
most likely to help formulate a solution, cre¬ 
ating the perfect opportunity to start solving 
specific, incremental problems. 

This article is about tools and options 
for correcting such problems, but you need 
to understand the importance of advance 
legwork. Forming a small committee of 
decision makers and users willing to meet 
quickly every week can be beneficial. This 
group can help communicate require¬ 
ments from different aspects of the orga¬ 
nization and can evaluate potential tools 
and solutions in a testing environment. 
Those involved also serve to evangelize your 
options within the organization—key to get¬ 
ting the word out about any changes and to 
soliciting feedback. 

Before we jump into your options, 
remember to stay focused without losing 
sight of the big picture. Keep your cycles 
short, and get some small wins, but under¬ 
stand that each small win adds another 
component to your overall solution. You'll 
gradually gain knowledge about the data 
in your organization while also solving 
specific problems. With proper attention 
to the big picture, you should end up with 
a relatively stable solution and a significant 
understanding of how your architecture 
is pieced together (as well as what gaps 
remain). 
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Out-of-the-Box Options 

Let's begin with basic options available to 
everyone using at least MOSS. Following are 
simple descriptions of the options and how 
you can use them. 

Content Sources. Content Sources 
denote the items that SharePoint's crawling 
engine looks at and creates a searchable 
index for. Keep in mind, these can be broken 
out for scheduling and different rules, even 
among internal SharePoint locations, help¬ 
ing with time management and handling 
large data stores. 

Managed Properties. Managed Proper¬ 
ties are the metadata items that the crawling 
engine finds when viewing your data. They 
even pickup custom columns in SharePoint 
lists. You can roll these up into custom 
properties and use them as rules and filters 
in search scopes and advanced searching 
techniques. 

Search Scopes. You can configure Share- 
Point to limit the scope of a search by 
managed property (equal or not equal to), 
by locations, and by content class. The 
content class is a little-known property in 
SharePoint that represents an item's internal 
classification—for example, List Type and 
Item Type. You can use these properties to 
create scopes that will return only web pages 
instead of list items or documents. A signifi¬ 
cant number of other classification options 
are also available. 

Thesaurus. Many administrators aren't 
aware of the SharePoint thesaurus, a sys¬ 
tem-level XML file that lets you create global 
replacements for common terms. This fea¬ 
ture removes the burden on site-collection 
administrators of creating custom keywords 
for each new site collection when common 
domain-level terms need to have synonyms 
in their searches. 

Keywords and Best Bets. Critical and 
often overlooked, these items give the indi¬ 
vidual site collection the power to create 
keywords with any number of synonyms 
as a search replacement. The real benefit 
is the ability to create Best Bets, which let 
users add links to any content that will auto¬ 
matically appear at the top of search results 
when a keyword or synonym appears in the 
search terms. 

Custom search pages. The makeup 
of the standard Search Results page has a 
significant number of web parts that repre¬ 
sent a large number of options for the end 
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user. I'll discuss just the core Search Results 
web part. This web part is essentially just a 
large Extensible Stylesheet Language (XSL) 
transform code block. It takes the Extensible 
Markup Language (XML) search results and 
transforms it to whatever you, the end user, 
and designer put in place. 

One of the best ways to evaluate your 
options is to look at the raw XML returned 
from your search to see what data is actu¬ 
ally available for designing a custom search 
page. You'll see that many properties are 
included—specifically, the custom proper¬ 
ties you've defined in your Shared Services 
Provider (SSP). This step lets you include 
additional data, group the data and add cus¬ 
tom links based on If statements, and so on. 
Depending on the type of data you expect 
to return in your results, you can create very 
specific views of this data. 

Understand that you aren't limited to the 
single Search Results page offered by Share¬ 
Point's out-of-the-box search center. You can 
create as many custom pages as you want, 
with very specific criteria and results layouts. 
Simply linking to them from appropriate 
locations within your organization can direct 
people to more focused search locations. 

Third-Party or In-House Tool 
Options 

Although there are many additional out- 
of-the-box enterprise search-management 
approaches, you need to be aware of addi¬ 
tional tools and third-party components. 
The following tools are in no particular 
order, and many are open-source. 

User ratings. With the advancement 
of Web 2.0—and its focus on socialization, 
networking, and data-interaction freedom— 
SharePoint content needs a boost to handle 
some of the requirements of this new envi¬ 
ronment. Thankfully, SharePoint is an easy 
platform to work with from a development 
perspective, and there are some free and 
inexpensive third-party web solutions that 
can do most of the work for you. 

Rating content has become crucial to the 
interactive style of modern technical com¬ 
munication. Not all enterprise data needs or 
warrants rating from the user community, 
but a large amount does. You can download 
and install functionality to provide a com¬ 
mon star-rating column for any SharePoint 
list or library. The tools are intelligent enough 
to permit only a single rating by each user 
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account, and they also support comments. 
Site owners can add this feature to only the 
lists and libraries they choose. The ratings are 
simple and easy to add to search results pages, 
with filtering based on minimum star rating. 

Facets. There are free, open-source tools 
available that allow dynamic pivoting on 
properties returned in the Search Results 
XML file. You can customize the tools to 
add or limit the specific properties that are 
available for pivoting in each search result. 
They are 100 percent Ul-based, letting you 

SharePoint is an 
easy platform to 
work with from a 
development 
perspective. 

select links to continue drilling down and 
filtering on as many properties as you want. 
The software shows you which filters you've 
applied and lets you remove them individu¬ 
ally at any time. You can add these web parts 
to any Search Results page. 

Federation. In the summer of 2008, 
Microsoft released its Infrastructure Update 
for MOSS, which included the ability to 
call external (or internal) search locations 
and return the results to a web part. You 
can use almost any search engine to run 
queries in real time and return the results to 
SharePoint. This becomes a powerful tool 
when you're creating single-location search 
centers that can simultaneously search 
all internal search engines and return the 
results from a single query. With Federa¬ 
tion, you can even search SharePoint search 
scopes specifically by using a federated 
location, thus querying multiple SharePoint 
search scopes in a single query but seg¬ 
menting their results into usable buckets. 
These federated search web parts can also 
search external search engines if you need 
to include results from public locations. (Be 
aware that your users will be broadcasting 
search terms to public locations.) 

Export data into SharePoint. Although 
this capability might seem backwards from a 
search perspective, consider exporting data 


from other line-of-business applications 
into HTML pages and importing them into 
SharePoint at regular intervals. Think about 
some potential wins: Owners of other appli¬ 
cations get to choose what data to query and 
export, they can design a metadata scheme 
to apply to their data as it's imported into 
SharePoint, they choose the intervals at 
which data is exported, and they control 
the layout and structure of how their data is 
viewed. Using some of the SharePoint web 
services or relatively simple programming 
can accomplish the import tasks. Therefore, 
SharePoint can have native content added 
to lists and libraries and crawl it as local 
content instead of using the Business Data 
Catalog or Federated Search to query exter¬ 
nal data held within other applications. 

Custom web parts. With four or five days 
of development, you can build a custom 
web part that queries an internal data¬ 
base, looks up metadata for common docu¬ 
ment details within your organization, and 
uploads a document with routing rules. 
If you have proprietary business data that 
would be beneficial to apply as metadata 
to SharePoint documents, a custom tool 
can be powerful. Essentially, the project 
queries other internal databases to look 
up pertinent data that you want to apply to 
documents being uploaded to SharePoint. 
With some basic business logic, this web 
part can look up linked data based on user 
selections, then upload and route the docu¬ 
ment based on the applied metadata. This 
solution lets you apply important properties 
to your SharePoint content without requir¬ 
ing your users to enter all the data by hand. 

BDC. Although entire books have been 
written about the Business Data Catalog 
(BDC), it's worth mentioning the power that 
it can hold from a data-querying and data- 
retrieval perspective. The BDC data can be 
quite interactive and used in various web 
parts, can connect to other web parts for 
filtering, and can be added to lists as custom 
columns. Ultimately, it can be read in a very 
similar fashion to list data in SharePoint. 
What we care about is how it can be searched. 
The BDC can connect to internal applica¬ 
tions that can be accessed via an ADO.NET 
provider or web services. Data can be set up 
as a content source in SharePoint (Enterprise 
version) for crawling and indexing and can 
then be searched and returned via standard 
SharePoint searching capabilities. This can 


all be done without coding, yet a significant 
amount of XML must be written. A few excel¬ 
lent tools in the marketplace can help you 
create these XML definition files. 

Available Tools 

I want to call out some tools that are avail¬ 
able as free downloads. Most of the options 
I outlined are available in some form at 
CodePlex (www.codeplex.com). There are 
various versions, each with strengths and 
weaknesses. I encourage you to set up a 
test environment and test them. The site 
contains almost all the tools and utilities 
you'll need to help with search; I use them 
regularly. Here are some additional items 
and ideas to consider: 

• Viewing tool—This tool lets you load 
and view all your SharePoint sites from 
a tree view, starting at a web application 
and drilling down to properties on a list 
item. 

• Search tool—This tool lets you query the 
engine directly via an external UI. 

• Tool for modifying relevancy rankings 
and testing the results. 

• XSL samples from other people in the 
community—These can show you what 
others are building for search results 
pages. 

• Adding wildcard searching options. 

• Better management of searches based 
on custom properties. 

• Regular Expression searching tools— 
These let you create custom regular 
expressions to search content in Share- 
Point. They're ideal for uncovering 
specific formats of data, such as credit 
card numbers, telephone numbers, and 
social security numbers. 

Hopefully, some of these ideas will empower 
you and your organization to begin making 
changes to help improve and spice up your 
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NEW & IMPROVED 


■ Scripting ■ Systems Management 

■ BlackBerry ■ Outlook 


Kace and Bomgar 
Announce Partnership 

Systems management appliance vendor 
Kace Systems and remote support special¬ 
ist Bomgar announced that they've inked 
a partnership deal. Under the terms of the 
agreement, Kace customers using a Kbox 
appliance will be able to access Bomgar's 
remote support products from within 
the Kbox management console. "Our 
partnership with Bomgar is derived from 
a common vision—bringing innovative 
and robust appliance-based technology 
to market, which can be easily deployed 
and used by organizations of all sizes yield¬ 
ing unparalleled investment return rates," 
said Marty Kacin, president, CTO and co¬ 



founder of Kace in a statement announc¬ 
ing the partnership news. "Through this 
partnership, we continue to expand the 
suite of automation and security solutions 
available to our customers—providing 
them unmatched systems management 


and remote desktop control capability, 
all delivered within the industry's most 
innovative stack of appliance offerings." For 
more information, visit www.kace.com or 
www.bomgar.com. 


PRODUCT 

Remote Administration Software Puts a 
GUI Face on WMI's Functionality 


With PJ Technologies' WMIX 2.0, you 
don't have to know how to write scripts 
to take advantage of Windows Man¬ 
agement Instrumentation's (WMI's) 
functionality. WMIX is a GUI-based 
implementation of WMI. Because it has 
a GUI, anyone can query and manage 
remote Windows machines—no script¬ 
ing is necessary. Because it's based on 
WMI, you don't have to install any soft¬ 
ware agents on the client machines. 

With WMIX, you can perform such 
tasks as querying and configuring set¬ 
tings and executing management tasks 
on local and remote machines. You can 
also generate built-in or custom reports. 
The enhancements in version 2.0 
include a built-in script generator and 
a WQL query wizard. The built-in script 
generator lets you automatically gen¬ 
erate a script for any task you initiate 


using the GUI. The generated scripts are 
automatically configured so that they can 
be run against the local machine, a remote 
machine, or a group of machines. In addi¬ 
tion, all WMI parameters and values are 
converted to a user-friendly format. 

Using WMI Query Language (WQL) 
queries to filter information that WMI 
returns is very helpful. However, creating 
WQL queries can be difficult because you 
need to know about WMI class definitions 
and WQL's syntax. WMIX includes a query 
wizard that guides you through the pro¬ 
cess of creating WQL queries. 

WMIX 2.0 runs on Windows 2000 and 
later, and supports clients running Win¬ 
dows NT SP3 and later. It's priced at $89 
per user license. For more information, visit 
wmix.pjtec.com or contact PJ Technologies 
at sales@pjtec.com or 786-268-3517. 
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BlackBerry User Self-Service Eases 
Help Desk Burden 

BoxTone's new module—called User Self- 
Service —allows users to quickly, easily 
troubleshoot their own problems with¬ 
out training and without the Help Desk, 
reducing Help Desk calls by 30-50 percent, 
according to the vendor. Since most of an 
organization's BlackBerry users are VIPs 
that can't tolerate or afford downtime, 
user self-service is a good model for 
improving employee satisfaction and 
efficiency. One limitation to this product 
is that users need to be able to access 
the web in order to troubleshoot their 
device. BoxTone's solution is sold in mod¬ 
ules, meaning you can point and pick the 
services that you want, pay for what you 
order, and then upgrade or alter it later if 
you need to (User Self-Service is one such 
model). A deployment with 1-2 modules, 
on average, runs at about $35/user.To 
learn more, call 410-910-3344 or visit 
www.boxtone.com. 
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Tripware Books Travel Directly in 
Microsoft Outlook 

Tripware is a travel tool that allows users to 
plan, book, and manage their travel needs 
and business meetings with one tool, pro¬ 
file, and itinerary in Microsoft Outlook 2007. 
To use Tripware, you create a meeting in 
Outlook, then click'BookTrip'and set pre¬ 
ferred destination/arrival, whether you want 
a car rental or hotel, etc, and then have Trip- 
ware give you a preferred flight, rental, etc 
Tripware also analyzes habitual and repeti¬ 
tive behaviors to further automate the pro¬ 
cess, so if you always stay at the same hotel 
chain, for instance, it will give you that chain 
if you want by default. Tripware runs off of 
the .Net framework and is the only Microsoft 
Office plug-in that books travel, according 
to the vendor. To download the free plug-in, 
visit www.tripware.com. 


Bluelounge presents 
Refresh 

Bluelounge introduces Refresh, a 
charging station that allows you to 
charge four devices simultaneously. 
Compatible with over 1,000 products, 
it comes with the following six con¬ 
nectors: two iPod/iPhone connectors, 
a Micro USB, a Mini USB, and two USB 
Sockets. The charging station is compat¬ 
ible with the following brands: Apple, 
Blackberry, Creative, Dopod, Eten, 
Garmin, HP, HTC, i-mate, Insignia, Iqua, 
iRiver, Jabra, LG, Memorex, Motorolla, 
Noki, 02, Pal, Philips, Plaantronics, Qtek, 
Samsung, Sanyo, Sidekick, Sony and 
Toshiba. Bluelounge Refresh is offered 
in white, black, and pink and retails for 
$89.95. It is also available through 
www.bluelounge.com. ^ 



I 

Paul’s Picks M 

www.winsupersite.com f\ 

SUMMARIES of in-depth^ 
product reviews on Paul 
Thurrott's SuperSite for 
Windows 

Microsoft's Cloud Computing 
Strategy 

PROS: A surprisingly cohesive migration 
strategy for positioning Microsoft as a pro¬ 
vider of doud-based services. 

CONS: Partners are cut out when Microsoft 
hosts its own solutions. 

RATING: ♦♦♦♦O 

RECOMMENDATION: As its future 
revenue streams from desktop products 
dry up and its server products move from 
on-premises to hosted subscription services, 

Microsoft needs to profit from cloud com¬ 
puting. Compared to pure cloud-based com¬ 
panies like Google, it has two advantages: 
decades of experience and millions of cus¬ 
tomers, and a hybrid strategy that will prove 
invaluable to its most important customers: 
the enterprise. 

CONTACT: Microsoft • 800-426-9400 • 
www.microsoft.com 

DISCUSSIONswww.winsupersite.com/ 

server/fam_2009.asp 


Apple Mac OS X "Snow Leopard" 

PROS: Mature, capable OS, excellent perfor¬ 
mance, free Exchange interoperability. 

CONS: No major improvements, doesn't 
change the "switcher" value proposition, 
works only with latest Exchange version. 

RATING: ♦♦♦♦O 

RECOMMENDATION: Mac OS X 10.6 
"Snow Leopard" is a nice refinement to an 
already solid OS. But we'd call it a service 
pack in the Microsoft world—and it cer¬ 
tainly doesn't offer incentives to switch. 
Comparing Snow Leopard to Windows 7, 
Microsoft's is the more substantial offering, 
providing internal updates just like Snow 
Leopard but also major updates for users. 
Still, Apple made some nice performance 
improvements, getting set for further 
innovation. 

CONTACT: Apple • www.apple.com 

DISCUSSION?; www.winsupersite.com/alt/ 
snowleopard.asp 

InstantDoc ID 102826 
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■ REVIEW 

Axceler ControlPoint 


Many IT pros have rushed to deploy Share- 
Point. The result is a proliferation of Share- 
Point installations that busy IT pros have 
to manage. Some management tools are 
included with SharePoint, but for now those 
management tools are somewhat limited. As 
the footprint of your SharePoint deployment 
grows, you need better tools to help you 
control it. We'll take a look at one product 
that promises to help you manage your 
growing SharePoint infrastructure: Axceler 
ControlPoint. 

A Control Point for SharePoint 

The Axceler website bills ControlPoint as 
a management tool that lets you "explore, 
protect, analyze and control your Share- 
Point environment." Axceler goes about 
that by bolstering the native capabilities 
of SharePoint in the areas of governance 
policy enforcement, content management, 
permissions management, and the ability to 
easily move sites and site collections. 

Installing ControlPoint was straightfor¬ 
ward, and it includes options for deploying 
the tool to single farm or multi-farm Share- 
Point deployments. ControlPoint runs as a 
web app that is much like your SharePoint 
operations page, but with many more fea¬ 
tures. 

Moving Sites and Site Collections 

Some of my favorite ControlPoint tools deal 
with moving sites and site collections. From 
an admin's view the ability to move sites 
and groups of sites from one site collection 
to another is very helpful, and moving them 
from farm to farm is a task that ControlPoint 
can really help with. 

One common problem is that a Share- 
Point site user will have security problems 
with accessing parts of a site collection. 
ControlPoint provides tools to analyze the 
security problems and allow an admin to 
make a fast problem resolution. Adminis¬ 
trators may often trust another IT pro to 
manage a SharePoint site collection, but 
granting large amounts of control can also 
create big problems. ControlPoint helps alle¬ 
viate these problems by providing a robust 
alerting system that makes you aware of 
urgent issues like deleted sites or broken 


security inheritance. 

Some companies will have documents 
that are extremely valuable, and compliance 
requirements may require a history to be 
kept of what the security settings have been 
since those documents were added to the 
document library. Out of the box, SharePoint 
doesn't provide a way to clone permissions 
from several site collections to a single user 
with just a few mouse clicks. ControlPoint lets 
you perform that procedure by using a dupli¬ 
cate user permissions process. 

ControlPoint can generate comprehen¬ 
sive site reports that give managers and 
administrators information about all the 
users with access in a SharePoint farm and 
the content and data access levels they have. 

An intuitive interface lets you navigate 
through SharePoint sites, lists, and users. 
Control Point's interface integrates well with 
SharePoint. I liked this integration because a 
new administrator can drill through the con¬ 
ventional SharePoint management screens, 
and rely on the ControlPoint power tools to 
perform operations on a critical SharePoint 


application. While the interface is helpful, 
ControlPoint isn't for novices: Some Share- 
Point knowledge is needed to realize the full 

potential of this product. ^ 

InstantDoc ID 102838 


Axceler ControlPoint 

PROS: Has strong tools for managing large 
deployments; integrates well with existing 
SharePoint user interface; the ability to manage 
user permission levels is nicely implemented 

CONS: Expensive for small deployments; 
requires some substantial SharePoint knowledge 
to really take advantage of the tools 

RATING: ♦♦♦♦O 

PRICE: $10,000 for average SharePoint farm plus 
$2,000 per year for support 

RECOMMENDATION: ControlPoint isn't for new 
SharePoint farms with a few users; the product 
is designed for larger SharePoint farms and pro¬ 
vides the tools and intelligence to help you man¬ 
age and monitor large farms effectively. 

CONTACT: Axceler • www.axceler.com • 
781-995-0063 
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Figure 1: ControlPoint makes it easy to manage SharePoint site lists and libraries. 


Curt Spanburgh (osgcurt@onesolutiongrp.com) 


48 NOVEMBER 2009 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 





































Manage, 
monitor, 
and get 
more 
control 
over event 
logs 

by Lance Whitney 


unting through yet another Windows event log is often a necessary but time-consuming 
chore. One tool that can simplify this task is a Windows event log manager. An event log 
manager can help you more easily monitor and manage your event logs, find specific 
■ — I events, and generate reports. 

_I |_| Taking 5 Log Managers for a Spin 

For this log manager roundup, I looked at five different Windows log managers. Depend¬ 
ing on your needs, any of these five products would be a good alternative to the standard Windows 
event viewer. 

• FSPro Labs' Event Log Explorer 

• Altair Technologies' Event Reader 2 

• Dorian Software Creations' Event Analyst 

• Technology Lighthouse's EventMeister 

• Corner Bowl Software's Corner Bowl Log Manager 2009 

All five products support the EVT format used by Windows Server 2003 and Windows XP to save 
event log files, but not all support the EVTX format, which Windows Vista and Windows Server 2008 
use for event log files. 

To test the log managers, I installed each one under Windows 2003 as my base OS. I also installed 
products compatible with Vista and Server 2008 under those two systems to confirm compatibility and 
make sure they could read EVTX files directly. 

Of the five, the only program incompatible with Vista or Server 2008 was Event Reader 2. The com¬ 
pany said that Event Reader 3 will support the newer OSs, though no release date was given. 

Event Log Explorer, Event Analyst, Event Meister, and Corner Bowl Log Manager run on Windows 
Server 2008/Vista/2003/XP/2000/NT; Event Reader 2 runs under Windows 2003/XP/2000. 

Event Log Explorer 3.1 

FSPro Labs' Event Log Explorer (see Figure 1, page 50) provides a no-frills window with a tree view of the 
computer on which you installed the program. You drill down on your current machine to see branches 
for each separate log file and double-click each log to open a list of its events in a table. 
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Figure 1: Event Log Explorer 3.1 

Double-clicking a specific event opens a 
separate window consolidating information 
about the event type, date, time, and more. 
You can also find links to Microsoft's Knowl¬ 
edge Base and to the Event ID database, a 
web-based repository of Windows event log 
information. 

From the UI, you can add other comput¬ 
ers to the tree view. A wizard automatically 
scans for other computers based on their 
role on the network. 

If you want to see just one specific 
log from another computer rather than all 
logs, you can run the Open Log command 
instead, browse the network or domain, 
then choose the machine. The Open Log 
File command lets you open existing EVT 
or EVTX log files from your local computer 
or any networked machine. To manage the 
many logs from different computers, you 
create multiple workspaces, each one stor¬ 
ing a different tree of logs. 

To sort the events displayed in the main 
window, you can click on any column head¬ 
ing. To narrow the events displayed, you can 
apply filters by running the Filter command. 
The filtering system is very effective, offering 
a nicely-designed dialog box. You can save 
any filter and apply it to other logs. 

A convenient Quick Filter option is also 
available to filter the log based on your 
current selection. To limit the number of 
events loaded, you can prefilter events 
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before they open. You can also search 
through all the displayed events using the 
Find command. 

Event Log Explorer lets you save any log 
as an EVT or EVTX file, so you can keep a 
running archive. The software offers both 
manual and automated processes for back¬ 
ing up. 

You can export any log from Event Log 
Explorer into HTML to generate a report, or 
save it as a text file or Excel spreadsheet to 
incorporate into a database. You can choose 
to export all events or only selected ones, and 
include or exclude event descriptions, but 
nothing more. However, it doesn't include 
a scheduling feature, so you can't automati¬ 
cally generate a report and have it emailed. 


Event Log Explorer 3.1 

PROS: Clean and simple UI; very effective filter¬ 
ing system 

CONS: No option for report scheduling 

RATING: ♦♦♦♦O 

PRICE: Free for personal use (can monitor up to 
three computers on a home network); starts at 
$99.95 to monitor up to five servers 

RECOMMENDATION: Event Log Explorer is a 
simple, well-designed product, ideal for any IT 
admin with basic log management needs. 

CONTACT: FSPro Labs • 7-0-903-438-4643 • 
www.eventlogxp.com 

We're in IT with You 


Event Reader 2 

Event Reader 2 from Altair Technologies 
(see Figure 2) displays a tree view of your 
local computer, and you can drill down 
to see branches for each of the individual 
event logs. Clicking on a specific log displays 
its events and event properties. An Event 
Properties window displays a description of 
the event you select and its individual prop¬ 
erties. Clicking the Event ID for a specific 
event brings you to the Event ID database, 
the web-based resource started by and still 
maintained by Altair Technologies. 

By default, Event Reader displays the 
logs for the computer on which it's installed. 
You can add additional computers to moni¬ 
tor. Event Reader 2 supports only EVT files, 
not EVTX. 

You can easily sort the events in any list 
by clicking the heading for each column. 
Event Reader offers several useful options 
to filter your data. A toolbar across the top 
displays buttons for each of the different 
event types, such as error, warning, and 
information. By default, all the buttons are 
turned on, but you can also exclude each 
type from the display. 

More advanced filtering options also are 
available, including filtering by event type, by 
date and time, and by event ID and source. 
The filter options were smoothly presented 
and simple to use. Event Reader offers no 
specific method to search for events. But in 
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most cases, filtering provides 
a more efficient way of see¬ 
ing events based on specific 
criteria. 

To create a report, you 
can export an event log into 
HTML. Event Reader pro¬ 
vides a few basic but help¬ 
ful options to format your 
HTML report, letting you 
choose the font, point size, 
and colors. You can also save 
a log directly to an FTP server, 
which simply uploads it as 
an HTML report. And you 
can export event log data to a 
database. 

The scheduling feature is 
impressive. You can schedule 
a report to be generated daily 
or at other intervals. You can 
set up the report to be saved 
in a specific location, emailed 
to you, uploaded to an FTP 
server, saved in a database, or 
all of those options. To limit 
the information in the report, 
you simply set up a filter. 



Figure 2: Event Reader 2 


Event Reader 2 

PROS: Clean, simple interface; 
impressive report scheduling 
feature 

CONS: Doesn't support Vista 
and Server 2008 because it can't 
read EVTX files 

RATING: 

PRICE: Starts at $39 

RECOMMENDATION: An 

inexpensive but solid piece of 
software, good for IT admins on 
a tight budget. If you don't need 
to support Vista or Server 2008, 
Event Reader is a smart choice. 

CONTACT: Altair Technologies • 
416-628-7295 • www.altair 
tech.ca 

Event Analyst 8.0 

Event Analyst from Dorian 
Software Creations (see Fig¬ 



Figure 3: Event Analyst 8.0 


ure 3) opens by greeting you with a Quick 
Tips message, which you can enable or dis¬ 
able at startup. After that, a blank UI awaits 
your command. When opening logs, you 


can choose only one computer and one log 
at a time; there's no option to tag multiple 
computers or logs to open in one shot. 

You can tell the software to open the logs 


in the UI or build a report. You can add addi¬ 
tional logs, either from the same computer 
or from other networked computers. You 
can also open files saved as EVT, EVTX, CSV, 
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or text to display within Event Analyst. 

The Research this Event Online com¬ 
mand opens a Dorian Software webpage 
with links to information on the event. You 
can also link to the Microsoft knowledge 
base. 

You can sort the event list by any of the 
column headings. However, there was no 
heading for event type, so I wasn't able to 
sort the list to see all errors or all warnings 
grouped together. 

Event Analyst includes several predefined 
filters to limit the event data on display. I cre¬ 
ated and saved a filter and was able to use it 
on any log by running the Apply Filter com¬ 
mand. I could also create a basic filter on the 
spot without having to save it. 

You can run an advanced filter that 
works against a database—Access, SQL 
Server, or Oracle. This method provides a 
wide range of options using Boolean logic to 
filter by computer, user, event ID, and other 
criteria. 

Logs can be exported to any one of four 
formats: HTML, comma delimited text file, 
Access MDB file, or as ODBC source to a 
database. You can run a report based on 
specific criteria of your choice or choose a 


built-in report. Some of the built-in reports 
were extremely clever and useful, such as 
"Top 10 Most Frequently Occurring Events." 
Each report contained the source of the 
event and other details, along with the start 
and end dates. 

Event Analyst's custom report designer 
proved quick and easy to use, and I was able 
to preview it as an HTML or CSV file. You can 
schedule a report to run on a regular basis 
and be saved or emailed. You can also apply 
a filter to the scheduled report to limit the 
amount of data it contains. 


Event Analyst 8.0 

PROS: Well designed Ul; clever built-in reports; 
easy-to-use custom report designer 

CONS: Pricier than other log managers when you 
need to monitor multiple computers 

RATING: 

PRICE: Separate server and workstation pricing: 
starts at $69.99 to monitor one server, $29.99 to 
monitor one workstation 

RECOMMENDATION: Event Analyst is a solid 
and powerful product that's easy to use and 
manage. 


CONTACT: Dorian Software Creations • 866-682- 
3646 • www.doriansoft.com 

EventMeister3.0 

Technology Lighthouse's EventMeister 
(see Figure 4) lets you set up a service to 
collect data when no user is logged in. 
Before viewing any log file data, you 
set up an Event Log Feed, which gathers 
events from the computers you want to 
monitor into one ongoing feed. You choose 
which event logs to include, how you want 
event information to be gathered, and how 
often to poll and update the feed with new 
data. 

EventMeister uses either a "Read from 
log" option, which generates the feed by 
capturing all events from the log, includ¬ 
ing those stored before the application 
was installed; or it uses a "Catch events" 
option to capture new events, omitting 
older events. You can add new feeds from 
other computers to an existing group or 
create a new group and populate that with 
new feeds. 

After the feed is created, the event log 
you chose is automatically downloaded. 
You can see a list of each event including 
such fields as type, date, and 
category. 

You can also create a 
feed by opening a CSV file. 
This is a useful option if 
you already have several 
feeds exported and saved 
into one single CSV file. 
However, there's no way to 
open an EVT or EVTX file 
directly. For this option to 
work, you'd have to save 
your event logs as CSV files 
directly from Windows' 
Event Viewer. 

You sort columns by 
clicking any heading, and 
you can show or hide any 
column to limit the infor¬ 
mation displayed. You can 
also add a field on which to 
filter the data, then manu¬ 
ally type in a value (e.g., 
date). You can then apply 
conditions to a value such 
as equal or greater than, 
offering a great deal of flexi¬ 
bility. Searching for an event 
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Figure 4: EventMeister 3.0 
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is simple: You enter a text string or numeric 
ID to find a specific event or event type. 

Export options are plentiful. You can 
export a feed to an HTML document, 
choosing from among six different template 
formats. You can also export a feed to other 
formats, including CSV and XML. I found 
the custom report creation was smooth and 
easy to use. 

EventMeister can notify you via email or 
PC if a certain event is triggered. You can set 
criteria so that a notification is sent under 
specific conditions. 

EventMeister 3.0 

PROS: Inexpensive; plentiful export options; 
alerting capabilities 

CONS: Can't open EVT or EVTX files directly 

RATING: ♦♦♦OO 

PRICE: Starts at $129.99 for a single license, 
which entitles you to monitor an unlimited num¬ 
ber of workstations and servers 

RECOMMENDATION: EventMeister is a power¬ 
ful and effective log manager that's cost effec¬ 
tive, especially for small organizations. 

CONTACT: Technology Lighthouse • 44-0-141 - 
891 -5884 • www.logmeister.com 

Corner Bowl Log Manager 2009 

Corner Bowl Log Manager 2009 (see Fig- 
ure 5) offers both event log and text log 
management. A dashboard alerts you to the 
status of the CBLM service, shows which 
log events were last polled, and displays 
pie charts of computer logs. I found the 
Dashboard cluttered with information that 
I didn't yet need, especially when opening 
the program the first time. 

The Network Explorer panel displays 
a tree view of your local machine with 


branches for each log. To see the events, 
you access a pane at the bottom of the 
main screen. You can also trigger a manual 
download by selecting the Download Events 
command. This process felt awkward at first, 
but it worked successfully. 

Each event appeared in a separate row 
in the center pane. Clicking a specific event 
revealed all its details crowded into a small 
window. Overall, I found the event window 
poorly designed and difficult to work with. 

To add new computer logs to manage, 
you can run a wizard or you can open the 
Event Log Explorer pane, browse your local 
network, then select the computers and logs 
to download. I found this a smooth process. A 
creative option lets you automate the adding 
of new computers through Active Directory. 

Before opening your event logs, CBLM 
gives you a quick filtering window, so you 
can open all events or only specific ones. To 
organize your various log files, you create 
groups, a convenient way to manage them. 

You can quickly sort the event list by 
clicking a specific header or you can group 
events by dragging column headings. To 
do quick filtering, you use the event type's 
toolbar button or configure more advanced 
filtering. As for search, you can run a simple 
search on your list of events by running the 
Find command and entering a text string to 
locate. 

You can back up and save a log in CSV, 
EVT, text, HTML, or XML. You can also 
directly open an EVT (but not EVTX) file. 

I found the report generation tool con¬ 
fusing. Before you set up a report, you create 
an Action, which specifies the output or des¬ 
tination of the report. Then you can generate 
a report by running a wizard. You specify 
the type of report, the name, its frequency, 
the computer or computers and logs to 


include, filters to use, and finally the action 
to apply. 


Corner Bowl Log Manager 2009 

PROS: Lets you automatically add computers 
from AD; can easily group events; sophisticated 
filtering and powerful report generation 

CONS: Main Ul too crowded and cluttered; dia¬ 
log boxes sometimes confusing; report genera¬ 
tion tool difficult to use 

RATING: ♦♦♦OO 

PRICE: Starts at $129 to monitor up to 20 com¬ 
puters (but can't be installed on a server); $259 
and up to monitor more computers and install 
on servers 

RECOMMENDATION: Corner Bowl Log 
Manager is an inexpensive yet powerful and 
robust log manager. 

CONTACT: Corner Bowl Software • 866-501- 
8670 • www.cornerbowl.com 

Easy Log Management 

Even with the newer event filtering and 
search options available in Server 2008, 
event log managers offer many benefits 
over Windows' Event Viewer. Whether you 
choose one of the above or an equally wor¬ 
thy solution, log managers offer flexibility 
and time-saving features that will simplify 
your job. 
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■MARKET WATCH 



Is Microsoft's 
Mobile OS 
losing its 
hold on 
Smartphones? 

by Zac Wiggy 


T he past few months have seen several new smartphones get headlines with their 
releases, and every new version of the iPhone's software makes waves, so it can 
be easy to forget Windows Mobile. The OS isn't flashy, but it has a solid place 
in enterprises. The question is, can it hold onto this place in the face of fierce 
competition? 

The Windows Mobile Phone 

Windows Mobile's main advantage is its ability to integrate with Exchange. While its com¬ 
petitors have been making strides in increasing their compatibility with Exchange, they 
lag behind Windows Mobile. For example, before the 3.0 software upgrade, iPhone users 
couldn't send meeting requests. 

Beyond Exchange integration, a fully Microsoft mobile ecosystem gives you some other 
advantages. System Center Mobile Device Manager (SCMDM) is a good example of how 
much the company's products work together. SCMDM integrates Windows Mobile 6.1 or 
later phones into a company's Active Directory (AD) infrastructure. Aimed at the enterprise 
market, SCMDM gives administrators control over the company's smartphones similar to 
what it already has over desktops and laptops. 

With SCMDM, smartphones get enhanced VPN functions and optimized connections. 
SCMDM also provides extra security, letting you use AD credentials on phones and provid¬ 
ing a remote wipe function to destroy sensitive data on a lost phone. (See InstantDoc ID 
102071.) 

If you don't mind getting your mobile management software from companies other than 
Microsoft, this advantage might not be so important for you. In fact, several companies have 
capitalized on the trend toward businesses with multiple types of smart phones and are now 
offering multi-platform smartphone management, allowing a company to have users on 
several different smartphone OSs but still manage all the phones. 

Another strength of Windows Mobile is also one of its weaknesses. Unlike the iPhone OS 
(or, to various degrees, other smartphone OSs such as PalmOS), Windows Mobile devices 
are manufactured by many different companies and available on many different kinds of 
hardware. This means Windows Mobile phones can be found on many different carriers 
and at many different prices, but it also means that two different Windows Mobile phones 
might not be able to run the same software, will each have different quirks, and may have 
UIs that look very different from one another. 

Market Research Firm Canalys reported in August that 3.4 million phones with Microsoft 
Operating systems were sold in the second quarter of 2009, representing a total of 9 percent 
of smartphone sales. In the same quarter, Apple sold 5.2 million phones (13.7 percent), RIM 
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sold 8 million (20 percent) and Symbian was 
on 19.2 million smartphones (50.3 percent). 
Canalys reported Microsoft's share of the 
market is down from 14.3 percent in the 
second quarter of2008. In an earlier release, 
Canalys reported Microsoft had 12.2 percent 
of the market in the third quarter of 2007. 

The Future 

Phones running Windows Mobile 6.5 were 
set to be released by October 6, so they 
should be available by the time you're read¬ 
ing this. There are a few new features this 
version, but the general opinion coming 
from those who've tried it is that 6.5 doesn't 
provide much more than an update to the 
OS's UI—this OS probably won't be an 
"iPhone killer." 

The new UI is designed to work better 
with touch screen devices. There's also a 
new web browser, said to be a substantial 
improvement over the old one, and Win¬ 
dows Marketplace for Mobile, a way for 
Windows Mobile users to purchase. See 
Paul Thurrott's preview of Windows Mobile 
6.5 at tinyurl.com/cwd2v2 for more. 

One of the most touted features in Win¬ 
dows Mobile 6.5, My Phone, is actually 
available to most phones that run Windows 
Mobile 6 or later. My Phone automatically 
backs up your contacts, calendar informa¬ 
tion, text messages, photos, and other infor¬ 
mation from your phone to the My Phone 
site. My Phone is a free service and is similar 
to the Apple service MobileMe, which also 
synchronizes email and data, but which has 
an annual service fee. 

Like the iPhone, My Phone seems to be 
aimed at consumers, not enterprises. Some 
of My Phone's functions don't work if your 
phone already syncs with Exchange, and 
each My Phone account is limited to 200MB 
of backups. See feff lames' look at the My 
Phone beta at InstantDoc ID 102340 for 
more on the service. 

The version of Windows Mobile follow¬ 
ing 6.5 is, by most accounts, going to be a 
much larger upgrade. Those in the know say 
that Windows Mobile 7 is a new OS, written 
from the ground up, and that it will be done 
by the end of 2010 at the earliest. Windows 
Mobile 7 is supposed to be Microsoft's 
response to its smartphone rivals, but there's 
not much solid information out there about 
the OS, so it's probably too soon to make any 
predictions. 


The Bottom Line 

The iPhone is obviously still a consumer- 
focused device, but its upgrades have shown 
Apple is willing to go after the business mar¬ 
ket, too. And the iPhone has an undeniable 
popularity—it's new, fashionable, and very 
easy to expand with software for both enter¬ 
tainment and work. As both IT pros and 
management pick up the iPhone on its own 
merits, businesses may have no choice but 
to support the device. Palm and Blackberry 
are also joining the trend of smartphones for 
consumers, advertising low- and high-end 
devices directly to consumers. And newer 
phone OSs such as Android and other Linux 
variations are a wildcard. 

Windows Mobile might be losing the 
war for what consumers think of when they 
think of smartphones, but for now, it still has 
a substantial lead in the enterprise thanks 
to its integration with Exchange and System 
Center. In the long run, if its competitors 
improve their business functions and still 
manage to capture consumer loyalty, Win¬ 
dows Mobile could be in for rough times. 

Cloud computing is a wild card in the 
smartphone arena. The iPhone's app store 
is very popular and all of its competitors 
seem to want to recreate its success, but 
many of its apps aren't much more than web 
pages launched like applications. If every 
smartphone soon sports a high-quality web 
browser and always-on Internet access, 
developers could choose to develop web 
applications tailored to smartphones instead 
of developing applications for each phone's 
OS. Cloud computing from a smartphone 
makes sense—Internet access is delivered 
wirelessly, so there's a lot less concern about 
being stuck without Internet than with a 
Wi-Fi-based laptop, and because of the 
possibility of loss or theft, it's already a bad 
idea to keep too much data stored locally 
on a phone, fust as some people predict 
that in the near future, desktop OSs will be 
irrelevant in favor of the cloud, your phone's 
OS could, some day, be unimportant. ^ 
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NetWrix USB Blocker 



Now at 
www.netwrix.com/USB 




Stop Exchanging 
Intellectual Property 
For Viruses and 


Malware! 


- Affordable: only $2.50 per computer* 

- Easy to deploy and manage 

- Granular access control, integrated with AD 

- Freeware version available! 


Microsoft 

www.netwrix.com/USB • 1.888.638.9749 

Partner 

Price is valid for 1000 to 3000 computers. Additional discounts and site licenses available for eligible organizations. 







BUYER’S GUIDE ■ 


USB Endpoint 
Security Solutions 

Prevent data leaks from portable devices by Caroline Marwitz 

Editor's Note: Information in this Buyer's Guide comes from vendor representatives and resources and is meant to jump-start, not replace, 
your own research; also, some products might have been left out, either as an oversight or from lack of vendor response. 


Y ou've slathered on security solutions as best you can, 
within the limits of budget and resources: firewalls, 
antivirus, intrusion detection systems, and authentica¬ 
tion solutions. But what about locking down your USB 
ports? Have you ever considered how easy it would be 
for one of your users to copy large amounts of sensitive 
data onto an iPod or USB drive? A data leak prevention solution can 
prevent users from siphoning off crucial data, whether maliciously 
or accidentally, and it can also prevent malware from infecting your 
system from inside. 

Microsoft Tries to Help 

If you rely just on Windows to help you, the problem with device and 
port blocking is how much control you get. In Windows Server 2003 
and Windows XP, you can't assign permissions for USB and FireWire 
ports nor for Wi-Fi and Bluetooth adapters, and you can't manage 
Wi-Fi, Bluetooth, USB, and FireWire devices via Group Policy. True, 
you can disable ports or enable read-only access, but that's about as 
granular as you're going to get. In Windows Vista and Windows 7, 
you have the ability to block USB ports and enforce policies, but not 
everyone has the option to move to newer OSs. 

Third-Party Solutions 

You can find some great device control solutions that are part of 
a larger security suite or desktop management suite, including 
solutions from ControlGuard, ManageEngine, NextLabs, Novell, 
ScriptLogic, SkyRecon, Sophos, and Symantec. But what if you want 
something more lightweight, with a smaller footprint? 

In our decidedly unscientific research, we found over a dozen 
device control solutions to get you started. (The table on pages 58-59 
shows product information.) These are solutions that we hope (but 
can't promise) you could implement right away without needing a 
lot of additional training or product consultation. 

How They Work 

Many device control solutions install an agent on your user's machine. 
Typically, you can create policies that then are enabled on users' 
machines to block or allow devices and port usage. You can usually 
create whitelists of approved devices and/or approved users, though 
with some solutions you can also use blacklists. If the solution is one 
that integrates with Active Directory (AD), the agent queries AD when 


the user logs on, and sets permissions to the different nodes accord¬ 
ingly. If the user isn't a member of a group that's allowed access to a 
particular device or set of devices, then access is blocked. 

Depending on how complicated your users' needs are, you 
might need a solution with highly granular controls, for example, 
to allow a particular flash drive to be used but to block others, or to 
specify the types of files that users can access and copy. 

What to Look For 

When you're considering device control solutions, you'll want ease 
of management and granularity in your lock-down control. Con¬ 
sidering that a desktop can have eight USB ports, plus other types 
of ports, even a small organization could have thousands of ports to 
manage and control, so a central, easy-to-use management inter¬ 
face is key. And given the complexity of most organizations and the 
need to comply with a myriad of regulations, granularity of control is 
important. It's not enough to simply restrict all devices or all ports. 

Integration with AD and Group Policy Objects will be important 
to many organizations. Finally, as you dive deeper into solutions, 
you might want to consider how the agent (if there is one) is installed 
(whether automatically or manually), how the tool "groups" PCs 
(into Security Groups, OUs, other proprietary classifications), and 
the quality and variety of reporting tools. 

Note that many, if not most of these products require a back¬ 
end data store, such as Microsoft SQL Server. Also, many products 
offer unattended installation or the option to run in silent or stealth 
mode, so users don't know they're being actively restricted. Whether 
you want this option will depend on your organization. 

It's a USB World 

In an ideal world, you'd inventory all your sensitive data, get all those 
crucial files into network storage and off of individual PCs, and beef 
up your local storage access controls—and your users would never 
bring USB flash drives, iPods, and PDAs to work. But to ignore such 
devices is to risk data loss that could cause embarrassment, litiga¬ 
tion, and financial loss as well as wreak havoc on people's lives. 
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USB ENDPOINT SECURITY 


Company 

Product 

Price 

Devices Controlled 

Supported OSs 

AC Element 

www.myusbonly.com 

MyUSBOnly 

Starts at $29.90 

USB pen drives and any USB hardware; iPods; card readers 

Windows Server 2003, 

Windows Vista, Windows 

XP, Windows 2000 

Advanced Systems 

888-361-8718 

603-484-1942 

www.advansysusa.com 

USB Lock RP 
(Remote Protect) 

Starts at $190 

Includes portable flash memory devices; MP3 players and 
iPods; external and internal optical drives, including CD/ 
DVD drives; cameras; card readers; PDAs and handheld 
computers; wireless transceivers such as IrDA-interface 
devices and Bluetooth 

Windows Server 2008, 

Windows 2003, Windows 

7, Vista, XP, Win2K 

Awareness Technologies 

866-513-7015 

310-822-4557 

www.awareness 

technologies.com 

InterGuard 

DATALOCK 

Starts at $40 for 
100-499 PCs 

Blocks data leaving a system via USB devices and other 
portable devices; email; email attachments 

Vista, XP, Win2K 

Centennial Software 
FrontRange Solutions 

866-355-7455 

www.centennial- 

software.com 

DeviceWall 

Consult vendor 

USB flash drives; Bluetooth devices; cameras; CD/DVD 
drives; cell phones; floppy drives; MP3 players and other 
portable storage devices 

Windows 2003, XP, 

Win2K, Windows NT 

Check Point Software 
Technologies 

800-429-4391 

866-488-6691 

www.checkpoint.com 

Check Point Media 
Encryption 

Starts at $45 per 
seat 

Includes USB flash drives; biometric devices; cameras; CD/ 
DVD drives; external hard drives; floppy drives; imaging 
devices and scanners; iPhones; PDAs; printers; Smart Card 
readers; tape drives; Windows Mobile and BlackBerry 
devices; wireless network interface cards 

Windows 2003, Vista, XP, 

Win2K 

CoSoSys 

408-239-4727 

www.cososys.com 

Endpoint Protector 
2009 

Starts at $25 per PC 

USB flash drives; wireless USB; BlackBerry devices; 

Bluetooth; biometric drives; cameras; card readers (inter¬ 
nal and external); CD/DVD; floppy drives; external HDDs; 
FireWire devices; iPods; memory cards (SD, MMC, CF); MP3 
players; PDAs; printers; smartphones; ZIP drives 

Windows 2003, Windows 

7 RC, Vista, XP 

CREDANT Technologies 

866-273-3268 

972-458-5454 

CREDANT 

Protector 

Starts at $32 per 
seat for 100-249 
licenses 

Flash cards, external disks, and CD/DVD media; iPhones; 
scanners, cameras, and other peripherals; Windows Mobile 
and BlackBerry devices; blocks Wi-Fi, Bluetooth, modems, 
or IrDA while the PC is connected to the wired corporate 
LAN 

Windows 2003, 

Vista, XP 

DeviceLock 

866-668-5625 

925-231-4400 

www.devicelock.com 

DeviceLock 

Starts at $42 for a 
single license 

USB drives; any type of printer, including local, network, 
and virtual printers; CD/DVD; floppy drives; Bluetooth 
devices; infrared devices; other removable and Plug-and- 
Play devices; Windows Mobile and Palm OS-based PDAs 
and smartphones 

Server 2008, Windows 

2003, Vista, XP,Win2K, NT 

GFI Software 

888-243-4329 

919-379-3397 

www.gfi.com 

GFI 

EndPointSecurity 

Starts at $25 per 
computer for 10-24 
computers 

USB sticks; CD/DVD drives; floppy disks; imaging devices; 
iPods; modems; network adapters; printers; PDAs; storage 
devices 

Server 2008, Windows 

2003, Vista, XP,Win2K 

Layton Technology 

813-319-1390 

www.layton 

technology.com 

DeviceShield 

Starts at $595 for 

25 PCs 

Any portable device, including USB storage and peripher¬ 
als; BlackBerry devices; Bluetooth devices; CD/DVD drives; 
floppy drives; infrared devices; iPods; modems; PalmOS 
devices; scanners and cameras; tape drives 

Windows 2003, XP, Win2K 

Lumension 

480-970-1025 

www.lumension.com 

Lumension Device 
Control 

Starts at $14 per 
node for 501-1000 
seats 

Includes removable devices such as USB sticks and media 
such as CDs/DVDs; plus non-standard device types (such 
as iPAQ, OTEC, HTC, or webcams) 

Server 2008 R2, 

Windows 2003, Windows 

7, Vista, XP, Win2K; also 

Windows Server 

2008 Hyper-V and 

VMware Infrastructure 3 

NetWrix 

888-638-9749 

www.netwrix.com 

USB Blocker (com¬ 
mercial version) 

Starts at $2.50 
per managed 
computer 

USB storage devices; imaging devices; printers; PDAs 

XP and later 

Safend 

www.safend.com 

Safend Protector 

Starts at $34 per 
seat for small quan¬ 
tities, up to $13 
per seat for large 
quantities 

USB; CD/DVD, floppy, and tape drives; external hard drives; 
FireWire, PCMCIA, SD, parallel, serial, and modem inter¬ 
faces; Bluetooth, IrDA, Wi-Fi devices; removable storage 
devices 

Windows 2003, Vista, XP, 

Win2K 

Trend Micro 

800-228-5651 

408-257-1500 

www.trendmicro.com 

Trend Micro 
LeakProof 5.0 
(Standard) 

Starts at $24.33 per 
user in year one; 

30 percent main¬ 
tenance in subse¬ 
quent years 

USB; CD/DVD; COM and LPT ports; infrared and imag¬ 
ing devices; modems; removable disks; Bluetooth; IrDA; 
PCMCIA 

Server 2008, Windows 

2003, Vista, XP 
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USB ENDPOINT SECURITY 



Encrypts 

Removable 

Devices 

Granularity of Lockdown 

Integrates with 
Active Directory 

Additional Features 

Alerts/Reports 


No 

Offers USB device whitelisting by brand or serial 
number. 

No 

Zero administration requirements; personal 
firewall-like operation. 

Yes/Yes 

Yes 

Allows only the use of specifically authorized devic¬ 
es through a whitelist deployed at client or network 
levels; can specify device by VID PID and product 
number, VID PID match, orVID Match 5. 

Yes 

Restricts or allows device usage; controlled 
remotely from a centralized location, in 
real time. 

Yes/Yes 


No 

Scans files and blocks the copying of any file to 
removable media or to email based on the file's 
content and the employee's job function; also scans 
email messages to enforce policy. 

Yes 

Can operate either on a dedicated server 
within your organization or on a fully-host¬ 
ed central management and service provi¬ 
sioning platform for delivery as Software as 
a Service (SaaS). 

Yes/Yes 

Yes 

Access is defined by user rights according to the 
currently logged-in user's privileges; can enable 
time-limited access to blocked device classes; cus¬ 
tomizable device whitelisting. 

Yes 

The first solution of its type to combine 
device management with advanced con¬ 
tent filtering technologies, to determine 
the true nature of any data file, even if file 
extension or properties were altered. 

Yes/Yes 


Yes 

Whitelist, blacklist, greylist; ability to make specific 
devices read-only and also enforce encryption-only 
on specific devices; capability to control execution 
of applications on devices. 

Yes 

The next version of Media Encryption will 
include new encryption features such as 
file-based encryption that allows for selec¬ 
tion of an encryption mode for external 
storage media. 

Yes/Yes 

Yes 

Device control based on specific whitelisted devices 
or device types; policies can be set for user or PC 
groups. 

Yes 

The only Windows and Mac OS X compat¬ 
ible solution in its class; web-based admin¬ 
istrative interface; support for Windows and 
Linux; offers a separate "Endpoint Security- 
as-a-Service"offering called My Endpoint 
Protector SaaS. 

Yes/Yes 


Yes 

Can whitelist vendors, models, or distinct devices; 
set and enforce security policies by domain, group, 
computer, or user. 

Yes 

Protects against both PS2 and USB hard¬ 
ware keyloggers; tracks file transfers from/ 
to encrypted devices on non-corporate 
computers. 

Yes/Yes 

No, but inte¬ 
grates with 

PGP, TrueCrypt, 
Iron Key, and oth¬ 
ers that do 

Security access, audit, and shadow settings by 
device port, class, and type; whitelist by device 
model number or ID, and by assigned users and 
groups with read, write, format controls and day, 
hour, file controls. 

Yes, and has the 
only MMC for 
Group Policy 

The only enterprise contextual DLP and 
port-device control solution to integrate 
directly with AD GPOs with its MMC con¬ 
sole for pushing access, audit, shadow, and 
keylogger detection settings automatically 
to all endpoints. 

Yes/Yes 


Yes 

Allows or denies access to a range of device classes; 
blocks files transferred by file extension, physical 
port, and device ID; can specify users or groups to 
manage their access to devices; can define device 
whitelists and blacklists. 

Yes 

Allows administrators to grant temporary 
device or port access for a stipulated time- 
frame. 

Yes/Yes 

Yes 

Can restrict access based on port, device, model, or 
file type. 

Yes 

Has a user-friendly interface and offers the 
abilty to have your network locked down in 
just a few minutes. 

Yes/Yes 


Yes 

Uses a device whitelist default/deny approach 
to control specific users, user groups, machines, 
machine groups, device unique ID/model/group/ 
class and day/time of day, file type, and more. 

Yes 

Scales from 100 to 100,000 seats at single 
or multiple locations with multiple admins; 
can be used to independently manage 
access to devices encrypted with PGP 

Whole Disk Encryption (WDE). 

Yes/Yes 

No 

Restricts access by entire domain or selected OUs; 
grants explicit access to users/groups; device 
whitelist/blacklist by attributes (e.g., vendor, model 
number); grants temporary access by pass code 

Yes 

USB Blocker also comes in a freeware ver¬ 
sion for controlling storage devices only. 

Yes, via free 
add-on, 

NetWrix Event 
Manager/Yes 


Yes 

Granular hierarchical controls: by port, then device 
type, device name, and if storage, by file type; poli¬ 
cies based on machine and user. 

Yes 

Part of a suite that also does hard disk 
encryption and will shortly do content 
aware monitoring and content discovery— 
all with the same agent, server, and con¬ 
sole. 

Yes/Yes 

Yes 

Comprehensive policy templates and settings; gran¬ 
ular USB controls for device manufacturer, model, 
serial number. 

Yes 

Unique active update service dynamically 
updates compliance templates, validators, 
and applications. 

Yes/Yes 
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INSIGHTS FROM THE INDUSTRY 


Who Would You Hire? 


Sick of always being on the nervous end of 
the negotiation table? Well, just for fun, let's 
take on the role of a hiring manager. I'll start 
by presenting the scenario, and then take a 
look at three candidates, at which point you 
will select one candidate (and, if you want, 
participate in the poll on the website.) 

All of the characters, companies, etc. are 
completely hypothetical and came straight 
from my ever-wandering mind. I will make 
some assumptions that aren't always true, 
based on the experience, background, and 
record of each candidate. Realistically, if 
we were down to only three candidates, 
interviews and skills tests would be the 
determining factors most likely. But it's just 
hypothetical, right? 

The Company 

You work at Centaur Shipping, a logistics 
company with about 100 employees. Your 
company serves medium to large organiza¬ 
tions by providing tracking software that 
helps organizations manage their ware¬ 
house supply, freight trucks, etc. to be more 
efficient in their shipping business. Your 
company's core strength is its cutting-edge 
software programs, and a staff that is well- 
versed in this technology and can translate 
it into clear business efficiencies. 

You have several IT professionals in 
your organization. You are the IT manager, 
overseeing your small crew. You currently 
have one employee who oversees email/ 
Exchange, manages the staff's BlackBerry 
devices, and handles some other assorted 
tasks. Another employee handles Share- 


Point, Active Directory, and troubleshoots as 
problems arrive. 

The open position is for a do-it-all gen¬ 
eralist that can become well-versed in the 
tracking software and troubleshoot errors. 
This employee will also have an important 
role with new software deployments. He or 
she will also be expected to serve a strategic 
role in determining limitations of the com¬ 
pany's hardware and software, and report 
these concerns directly to you, the IT man¬ 
ager. All in all, this person has the closest 
pulse on employee needs of your IT staff. 

What You Want 

Before even opening up the position, you've 
begun to craft the type of worker you want. 
You want someone who is independent, 
and can quickly become acclimated with 
the new system and how Centaur does 
business. You want someone who is smart 
and fast, and can make important decisions 
on the fly without fear or error. Lastly, you 
want someone who is loyal and committed 
to strengthening the company. 

Your boss, the director of business 
development, has left you with a fairly open 
budget for the employee—$35-60k salary. 

If you could get a competent employee in 
the lower echelon, that'd certainly earn you 
kudos, but the position is important enough 
that your priority, by far, is finding the right 
candidate. 

Candidate 1: Trevor 

Trevor is a young, talented, new college 
graduate. He's friendly, respectful, and very 


eager to impress a new boss and grow 
internally with a good company. While his 
relative inexperience is a concern, he shows 
promise based on his success at the repu¬ 
table college he attended, as well as glow¬ 
ing remarks from an internship he held his 
senior year. 

Opportunities: As a fresh face, Trevor 
would be eager to please, quickly adapt¬ 
ing to the needs of both the organization 
and the staff. He would be well-liked. You 
believe he'd be able to quickly pick up your 
organization's software and would put sig¬ 
nificant effort into his work. You also believe 
he would be a loyal employee, provided he 
received adequate pay and recognition. And 
speaking of pay, you surmise you'd be able 
to get him for the lower end of the salary 
spectrum. 

Concerns: One key concern is that given 
his inexperience, Trevor wouldn't bring the 
wealth of background experience that some 
more seasoned candidates do to a new 
organization, providing a valuable assess¬ 
ment of the organization's strengths and 
weaknesses before getting too versed in 
the company structure. You also worry that 
he might be hesitant to point out problems 
and concerns, and be slow to assume new 
software or hardware is needed to make the 
company flow. 

Candidate 2: Greg 

Greg is an administrator with good experi¬ 
ence and tons of promise. He's been in the 
industry for eight years, and has earned a 
glowing reputations as a problem solver, 
go-getter, above-and-beyond A player. In 
his relatively short time of experience, he 
has excelled up the company ladder several 
times, jumping from a small marketing com¬ 
pany to a significant administrator role at a 
major technology company. Unfortunately, 
you fear that motivating Greg and keeping 
him happy will be a concern. 
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Have you discovered a great product that saves you time and money? Do you use 
something you wouldn't wish on anyone? Tell the world in a review in 
What's Hot: Readers Review Hot Products. If we publish your opinion, we'll 
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Opportunities: With Greg's experience, 
wit, and top-notch training, bringing him 
into your organization would be like bring¬ 
ing a valued consultant to work full time. 

You can just imagine the handful of valuable 
ideas he'll bring to the table. You have little 
doubt that if Greg joins the team, he'll shake 
things up, but in a good way. He'll enhance 
efficiencies and he might eventually take 
on a high-level management position in the 
organization. 

Concerns: Despite Greg's startling 
credentials, you fear that his personality 
might clash with the organization. Centaur 
is made up largely of A-type account execu¬ 
tives, big personalities with a specific idea 
of how things should be done. You sense 
some major potential character clashes 
with employees that are struggling with the 
technology and this new, likely unforgiving 
systems admin. The more a person expects 
from himself, the more he expects from 
others, you figure. Also, Greg will likely be a 
ruthless negotiator on salary. 


Candidate 3: Jane 

Jane is a competent, seasoned professional, 
with 20+ years experience serving a variety 
of administrator functions. She has experi¬ 
ence with large-scale organizational deploy¬ 
ments and has dealt with employees of all 
types and personalities. She has a likeable 
personality but also a strong knowledge 
of technology, business, and people. She 
was laid off from the organization that she 
worked at for 15 years when the corpora¬ 
tion hit tough times and cut 10 percent of 
its staff. 

Opportunities: Jane offers a lot to Cen¬ 
taur—loyalty, competence, and personality. 
You have little doubt that she'll click with 
your account managers, and also take the 
time to help those struggling with the tech¬ 
nology. However, she can also hold her own 
when faced with company crises or major 
deployments. 

Concerns: As an organization that 
focuses on cutting-edge technology, you 
worry that Jane might struggle with the 


new systems and might tire of the constant 
change that is common in Centaur. Your 
company has a way of doing things differ¬ 
ently, and getting deeply immersed in the 
company culture is important. Also, as a hir¬ 
ing manager 10 years her junior, you worry 
that she might have some animosity in tak¬ 
ing direct orders on technical decisions from 
you, especially since your background is as 
much business strategy as it is IT. 

Make the Tough Decision 

Now, decide who you're going to hire! 

Select the candidate that has the best blend 
of technical competence, growth potential, 
company fit, personality, and loyalty. 

As you can see, no candidate available is 
perfect for the job. It's up to you to choose 
best who you think is the best fit. To vote, go 
to www.windowsitpro.com, InstantDoc ID 
102669. Feel free to continue the conversa¬ 
tion on Twitter at twitter.com/breinholz. ^ 

—Brian Reinholz 

InstantDoc ID 102669 
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Search our network of sites dedicated to hands- 
on technical information for IT professionals. 
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Join our discussion forums. Post your questions 
and get advice from authors, vendors, and other 
IT professionals. 

www.windowsitpro.com/forums 
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Check out the current news and information 
about Microsoft Windows technologies. 
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automatically to your desktop. 
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Order reprints of Windows IT Pro articles. Diane 
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Access every article ever printed in Windows IT Pro 
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NEW WAYS TO REACH 
WINDOWS IT PRO EDITORS: 


Li n ked I n : To check out the Windows IT Pro 
group on Linkedln, sign in on the Linkedln 
homepage (www.linkedin.com), select the Search 
Groups option from the pull-down menu, and use 
"Windows IT Pro"as your search term. 

Face book: We've created a page on Face- 
book for Windows IT Pro, which you can access 
at: http://tinyurl.com/d5bquf.Visit our Facebook 
page to read the latest reader comments, see links 
to our latest web content, browse our classic cover 
gallery, and participate in our Facebook discus¬ 
sion board. 

Twitter: Visit the Windows IT Pro Twitter page at 
www.twitter.com/windowsitpro. 

Regional Forums: We've introduced regional 
areas in our online forums, allowing IT user group 
leaders and other readers interested in meeting 
locally to more easily communicate with each other. 
Visit our forums at www.windowsitpro.com/forums 
and scroll down to see the new regional forums. 
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3 Internet EKplorer Script Error 


Windows Internet EKplorer 


Figure 2: Error cascade 


US YOUR 
HUMOR! 


Email your industry humor, 
scandalous rumors, funny screenshots, 
favorite end-user moments, and 
IT-related pics to rumors@ 
windowsitpro.com. If we use your 
submission, you'll receive 
A FREE GIFT. 


—Dennis 


fuser Moment of N 
the Month 

I work as a systems administrator at a small company, 
and I handle a fair share of Help desk calls. I got an IM 
from someone asking for help on behalf of a frantic 
user. The user was dumbfounded because his screen 
was suddenly upside-down for no apparent reason. He 
had no idea how such a strange thing had happened. 

I called the user and instructed him to hit Ctrl+Alt+Up 
Arrow. The screen righted itself, and the user was 
amazed. He ended up blaming a cat for walking 
across his keyboard on just the right key combination 
(Ctrl+Alt+Down Arrow) to flip the screen. Next time, 
perhaps the cat will hit Ctrl+Alt+Left Arrow or Right 
Arrow to flip the screen a quarter turn. 


Line: 

Char: 

Error: 

Code: 

URL: 


t\ An error has occurred in the script on this page. 


Do you want to continue running scripts on this page? 
Yes I No 


An error has occurred in this dialog 

Error: 54 
Unspecified error. 
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Are you a heavy sleeper? Finding yourself late to work too often? We got a kick 
out of this announcement from iLuv, creator of the iMM153 Desktop Dual Alarm 
Clock with Bed Shaker for iPod. Advertised as a "shalce-you-awake alarm clock," the 
iMM153 features seven ways to yank you from sweet slumber, but its most unique 
feature is a Bed Shaker accessory that will "wake even the deepest of sleepers." You 
can wake up to your iPod, FM radio, buzzer, bed shaker, iPod plus bed shaker, FM 
radio plus bed shaker, or buzzer plus bed shaker. The iMM153 costs $60. 


Address Bar 


Windows cannot find Local Disk (C:). Check the spelling and try again. 


Figure 1: Uh oh 
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